In this weekly roundup from The Cyber Express, the global cybersecurity landscape continues to show rapid and uneven change, shaped by both regulatory shifts and escalating cyber threats. Governments are tightening oversight of new technologies such as artificial intelligence, while threat actors are simultaneously refining their techniques to exploit businesses, infrastructure, and end users across multiple platforms.  This edition of cybersecurity news brings together some of the most important developments of the week, ranging from significant amendments to the European Union’s AI Act to the expansion of malware campaigns into macOS environments and the discovery of a critical vulnerability in widely used enterprise firewall software.   It also covers major sentencing in a global ransomware case and a fresh warning from the FBI about the growing scale of cyber-enabled cargo theft targeting logistics and supply chain organizations. 

The Cyber Express Weekly Roundup 

EU Updates AI Act with Simpler Rules and New AI Content Bans 

In a significant regulatory update, the European Union has agreed to revise parts of the EU AI Act. The updated framework aims to simplify compliance requirements for businesses while simultaneously introducing stricter restrictions on harmful AI-generated content. Read more.. 

ClickFix Malware Campaign Expands to macOS 

Another key development is the expansion of the ClickFix malware campaign beyond Windows systems. Security researchers at Microsoft have confirmed that the operation is now targeting macOS users using deceptive troubleshooting content. Read more... 

Critical PAN-OS Vulnerability Enables Remote Code Execution 

A critical security flaw has been identified in Palo Alto Networks’ PAN-OS firewall software. Tracked as CVE-2026-0300, the vulnerability carries a CVSS score of 9.3, indicating severe risk. The issue originates from a buffer overflow vulnerability in the User-ID Authentication Portal. Read more... 

Latvian Cybercriminal Sentenced in Global Ransomware Case 

Latvian national Deniss Zolotarjovs has been sentenced to 102 months in prison for his role in a large-scale ransomware operation. According to the U.S. Department of Justice, the group operated under multiple ransomware brands, including Conti, Royal, Akira, and Karakurt. Between 2021 and 2023, the organization carried out attacks against more than 54 companies worldwide, using data theft and encryption-based extortion tactics to pressure victims into paying ransom demands. Read more... 

FBI Warns of Rising Cyber-Enabled Cargo Theft 

The FBI has issued an alert regarding a sharp rise in cyber-enabled cargo theft. Criminal actors are using impersonation techniques to pose as legitimate logistics providers, allowing them to intercept and redirect freight shipments. The agency noted that logistics, shipping, and insurance companies have been targeted since at least 2024. Read more... 

Weekly Takeaway 

This week’s The Cyber Express weekly roundup highlights the growing convergence of regulatory change, advanced malware threats, critical infrastructure vulnerabilities, ransomware enforcement actions, and supply chain fraud. As the global cybersecurity landscape continues to evolve, organizations across all sectors remain under increasing pressure to strengthen defenses and adapt to emerging risks. 

The rollout of the UK’s Online Safety Act in July 2025 was intended to create a safer digital environment for children through stricter age verification rules, tighter moderation standards, and stronger protections against harmful online content. However, early evidence suggests that many of the safeguards introduced under the legislation can still be bypassed with surprisingly simple tactics, including a fake moustache drawn with makeup.  Recent findings have raised concerns among parents, researchers, and digital safety experts about the effectiveness of current age verification systems. While the Online Safety Act has led to some improvements in children’s online experiences, critics argue that enforcement remains inconsistent and that many platforms are still vulnerable to manipulation.  One of the most widely discussed examples involved a 12-year-old boy who reportedly used an eyebrow pencil to create a fake moustache before facing a facial age estimation check. According to the report, the altered appearance convinced the system that he was 15 years old, allowing him to bypass restrictions designed for younger users. The incident has become a symbol of broader concerns about the reliability of AI-driven age-verification technologies. 

Online Safety Act Faces Early Challenges 

The Online Safety Act was introduced to strengthen online child protection measures by requiring platforms to implement stricter checks and reduce children’s exposure to harmful material. The legislation also aimed to improve reporting tools and create safer digital spaces for younger users.  Despite those goals, the report suggests that loopholes remain widespread. Children have reportedly been bypassing protection through several methods, including entering false birthdates, borrowing adult credentials, sharing accounts, and using VPN services. More advanced attempts have also involved spoofing facial recognition systems used in age verification processes.  Survey data cited in the findings revealed that nearly half of children believe current age verification systems are easy to evade. Around one-third admitted to bypassing these systems in recent months.  The fake moustache example particularly highlighted weaknesses in facial age estimation tools that rely heavily on visual indicators rather than stronger forms of identity confirmation. Experts argue that systems based primarily on appearance can be vulnerable to minor cosmetic changes, lighting adjustments, or camera manipulation. 

Mixed Results Following Online Safety Act Rollout 

Although concerns over age verification remain significant, the report noted that the Online Safety Act has produced some positive outcomes. Approximately half of the surveyed children said they were now seeing more age-appropriate content online. In addition, around 40% of both children and parents stated that the internet feels somewhat safer since the legislation came into effect.  Many children also appeared supportive of increased online protections. The findings showed that younger users generally approved of stricter platform rules, reduced interaction with strangers, and limitations placed on high-risk platform features.  Around 90% of children who noticed stronger moderation systems and improved reporting tools viewed those changes positively. Researchers said this indicates that many younger users are willing to engage with safer digital environments when protections are implemented effectively.  Still, the improvements have not been universal. Within just one month of new child protection codes being introduced under the Online Safety Act, nearly half of the children surveyed reported encountering harmful content online. This included violent material, hate speech, and body image-related content, all categories the legislation specifically aims to regulate. 

Privacy Concerns Grow Around Age Verification 

The expansion of age verification requirements has also triggered growing concerns over privacy and data security. More than half of the children surveyed said they had been asked to verify their age within a recent two-month period. These checks were reportedly common across major platforms, including TikTok, YouTube, Google services, and Roblox.  Many platforms now rely on technologies such as facial age estimation, government-issued identification checks, and third-party age assurance providers to comply with the Online Safety Act. While users generally described the systems as easy to complete, concerns remain about how sensitive data is collected, stored, and potentially reused.  Parents expressed unease about whether biometric information and identity documents submitted during age verification could later be retained by companies or accessed by government agencies. Those concerns have intensified calls for more centralized and privacy-focused verification systems instead of fragmented checks spread across multiple online services.  Experts argue that current approaches may not strike the right balance between child safety and personal privacy. They warn that if the weaknesses exposed by tactics like the fake moustache incident are not addressed, public trust in these systems could continue to decline. 

A newly disclosed local privilege escalation (LPE) vulnerability known as Dirty Frag is raising serious concerns across the Linux ecosystem after researchers revealed that the flaw can grant root access to most major Linux distributions. The vulnerability, which currently remains unpatched, has been described as a successor to the previously disclosed Copy Fail flaw tracked as CVE-2026-31431.  Security researcher Hyunwoo Kim, also known online as @v4bel, publicly disclosed the issue after what he described as a breakdown in the coordinated disclosure and embargo process. The vulnerability was initially reported to Linux kernel maintainers on April 30, 2026, but no official fixes or CVE identifiers had been assigned at the time of disclosure.  According to Kim, Dirty Frag is not a single bug but a vulnerability class capable of achieving root privileges across many Linux distributions by chaining together two separate flaws: the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.  Kim explained in his technical write-up:  “Dirty Frag is a vulnerability (class) that achieves root privileges on most Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.”  He further noted that Dirty Frag extends the same bug class associated with Dirty Pipe and Copy Fail (CVE-2026-31431). Unlike race-condition-based attacks, Dirty Frag operates through a deterministic logic flaw, making exploitation more reliable.  “Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high.” 

Dirty Frag Targets Multiple Linux Distributions 

The new LPE vulnerability affects a broad range of Linux distributions, including Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, and Fedora 44. Researchers warned that successful exploitation allows an unprivileged local user to escalate privileges and gain full root access.  In a public disclosure sent to the oss-security mailing list on May 8, 2026, Kim described Dirty Frag as a “universal Linux LPE” capable of compromising all major Linux distributions.  The disclosure stated:  “This is a report on ‘Dirty Frag’, a universal LPE that allows obtaining root privileges on all major distributions.”  Kim also emphasized that the impact closely resembles Copy Fail, or CVE-2026-31431, which has already been observed under active exploitation in the wild. 

How Dirty Frag Works 

The first component of Dirty Frag, the xfrm-ESP Page-Cache Write vulnerability, originates from the IPSec (xfrm) subsystem. Researchers said it provides attackers with a four-byte store primitive similar to CVE-2026-31431 and allows overwriting small portions of the kernel page cache.  However, exploitation through the xfrm-ESP path requires an unprivileged user to create a namespace. Ubuntu blocks this behavior through AppArmor restrictions, limiting the effectiveness of that exploit path on Ubuntu-based Linux distributions.  To bypass that limitation, Dirty Frag chains a second flaw: the RxRPC Page-Cache Write vulnerability.  Kim explained:  “RxRPC Page-Cache Write does not require the privilege to create a namespace, but the rxrpc.ko module itself is not included in most distributions.”  He added that while RHEL 10.1 does not ship the rxrpc.ko module by default, Ubuntu systems load it automatically. By combining both vulnerabilities, attackers can adapt exploitation techniques depending on the target environment.  “Chaining the two variants makes the blind spots cover each other. In an environment where user namespace creation is allowed, the ESP exploit runs first. Conversely, on Ubuntu, where user namespace creation is blocked but rxrpc.ko is built, the RxRPC exploit works.” 

Links to Older Linux Kernel Vulnerabilities 

Researchers traced the xfrm-ESP vulnerability back to a Linux kernel source code commit made in January 2017. Interestingly, the same commit was also identified as the root cause of another serious Linux kernel issue, CVE-2022-27666, a buffer overflow vulnerability with a CVSS score of 7.8 that affected multiple Linux distributions.  The RxRPC Page-Cache Write vulnerability, meanwhile, was reportedly introduced in June 2023.  Security firm CloudLinx stated in an advisory that the flaw exists in the “ESP-in-UDP MSG_SPLICE_PAGES no-COW fast path” and is reachable through the XFRM user netlink interface.  AlmaLinux also released a technical analysis explaining how the issue impacts kernel memory handling:  “The bug lives in the in-place decryption fast paths of esp4, esp6, and rxrpc: when a socket buffer carries paged fragments that are not privately owned by the kernel, the receive path decrypts directly over those externally-backed pages.”  According to the advisory, this behavior can expose or corrupt plaintext data while an unprivileged process still maintains a reference to the affected pages. 

Public PoC Increases Risk for Linux Distributions 

The threat level surrounding Dirty Frag has intensified due to the public release of a fully working proof-of-concept exploit. Researchers warned that the exploit can grant root access using a single command, significantly lowering the barrier for attackers.  Until official patches become available, administrators are urged to disable the affected modules manually. The recommended mitigation command is: 

sudo sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true" 

Security experts also warned that Dirty Frag importantly differs from CVE-2026-31431. Unlike Copy Fail, Dirty Frag can still be exploited even if the Linux kernel’s algif_aead module has been disabled.  Kim stated:  “Note that Dirty Frag can be triggered regardless of whether the algif_aead module is available.”  He further cautioned:  “In other words, even on systems where the publicly known Copy Fail mitigation (algif_aead blacklist) is applied, your Linux is still vulnerable to Dirty Frag.”  With no patches currently available and exploit code already circulating publicly, the newly disclosed Dirty Frag LPE vulnerability presents a significant risk to Linux distributions worldwide. 

The European Union has reached a provisional agreement to amend parts of the EU AI Act, introducing simplification measures for businesses while also expanding restrictions on harmful AI applications, including so-called “nudifier” apps and AI-generated child sexual abuse material. The agreement, reached early Thursday by negotiators from the European Parliament and the Council, forms part of the EU’s broader “digital omnibus” package aimed at refining the implementation of the bloc’s landmark AI legislation. The updated proposal seeks to reduce compliance burdens and legal uncertainty for AI providers while maintaining the AI Act’s core risk-based framework. Lawmakers said the changes are designed to make the rules more practical without weakening safeguards tied to safety, privacy, and fundamental rights.

EU AI Act Deadlines Pushed to Reduce Legal Uncertainty

One of the biggest changes under the proposed amendments is the postponement of several obligations linked to high-risk AI systems. Under the revised timeline, rules for AI systems classified as high-risk due to their use cases will now apply from 2 December 2027. These systems include AI deployed in biometric identification, critical infrastructure, education, employment, law enforcement, and border management. Meanwhile, AI systems used as safety components under sector-specific EU product safety laws will face compliance obligations from 2 August 2028. The agreement also delays watermarking obligations for AI-generated content until 2 December 2026. The European Commission had earlier proposed a February 2027 implementation date. Watermarking tools are intended to help identify and trace AI-generated images, audio, and video content. Lawmakers said the postponements are necessary to ensure technical standards and implementation guidance are fully in place before the rules become enforceable.

EU Bans Nudifier Apps and AI-Generated Abuse Content

A major part of the agreement focuses on tightening restrictions around harmful AI-generated sexual content. Negotiators agreed to ban AI systems designed to create child sexual abuse material or generate explicit deepfake content involving identifiable individuals without consent. The restriction covers images, video, and audio content. The EU AI Act ban specifically applies to companies placing such AI systems on the EU market, providers failing to include reasonable safeguards against misuse, and users deploying the systems to create illegal or non-consensual explicit material. The decision directly targets “nudifier” apps, which use AI to digitally remove clothing or generate fake explicit imagery of individuals. Companies operating such systems will have until 2 December 2026 to comply with the new requirements. Michael McNamara, co-rapporteur for the Civil Liberties, Justice and Home Affairs committee, said the agreement strengthens the EU’s ability to act against AI systems that threaten human dignity and fundamental rights. “I’m pleased that this morning we reached an agreement on the AI Omnibus,” McNamara said. “Alongside simplification measures, we are banning nudification apps, a key part of the Parliament’s mandate, and, of course, the creation of child sexual abuse material using AI systems.”

Simplification Measures for AI Providers and SMEs

The amendments also introduce several simplification measures intended to reduce overlapping compliance requirements for companies developing AI technologies. Under the new framework, machinery products with AI features will no longer need to comply separately with both the EU AI Act and sector-specific safety laws if existing safety rules already provide equivalent protection. Lawmakers also narrowed the definition of “safety component” within the EU AI Act. This means AI functions designed only to assist users or improve product performance will not automatically be classified as high-risk unless their failure creates health or safety risks. Another change allows companies to process personal data where strictly necessary to detect and correct bias in AI systems, provided appropriate safeguards are in place. The agreement further extends certain exemptions previously available only to small and medium-sized enterprises (SMEs) to small mid-cap companies. EU officials said the move is intended to help startups and growing technology firms scale AI innovation more easily within Europe. Arba Kokalari, co-rapporteur for the Internal Market and Consumer Protection committee, said the revised rules strike a balance between innovation and regulation. “With this agreement, we show that politics can move just as quickly as technology,” Kokalari said. “We now make the AI rules more workable in practice, remove overlaps and pause the high-risk requirements.”

Next Steps for the EU AI Act Amendments

The provisional agreement still requires formal approval from both the European Parliament and the Council before it can become law. EU lawmakers are aiming to finalize adoption before 2 August 2026, which marks the scheduled start date for existing high-risk AI system rules under the original AI Act framework. The negotiations are part of the EU’s continuing effort to shape global standards around artificial intelligence governance while addressing concerns related to safety, transparency, and misuse of generative AI technologies.

A major QLearn cybersecurity incident has affected thousands of educational institutions globally, including Queensland state schools and universities, after a cyber breach involving third-party education technology provider Instructure exposed personal information linked to students and staff. Queensland Education Minister John-Paul Langbroek confirmed the incident in an official statement, saying the Queensland Department of Education was briefed about the international cybersecurity breach involving Instructure, the provider behind the Department’s online learning platform, QLearn. According to early assessments, the breach may affect more than 200 million people and over 9,000 institutions worldwide, making it one of the largest education-sector cybersecurity incidents disclosed this year.

QLearn Cybersecurity Incident Impacts Queensland Schools

The Department of Education said students and staff who have worked or studied at Education Queensland schools since 2020 may have been affected by the QLearn cybersecurity incident. Authorities stated that compromised information currently appears limited to names, email addresses, and school locations. Officials added there is currently no evidence that passwords, dates of birth, or financial information were accessed during the breach. The online learning platform QLearn was introduced in Queensland schools in 2020 under the previous government and has since become a widely used digital education system across the state. Minister Langbroek said school principals have already begun contacting affected families and teachers to notify them about the breach and provide further guidance. “This morning I have been briefed by the Department of Education about an international cybersecurity breach involving a third-party provider, Instructure, which delivers the Department’s online learning platform, QLearn,” Langbroek said in the statement.

Instructure Data Breach Raises Concerns Across Education Sector

The QLearn cybersecurity incident has once again highlighted the growing cybersecurity risks facing the global education sector, particularly as schools and universities continue relying heavily on third-party digital learning platforms. Because the breach involves Instructure, a provider serving institutions across multiple countries, the incident extends far beyond Queensland. Authorities indicated that educational institutions across Australia and overseas are also impacted. While officials stressed that no sensitive financial or authentication data has been identified as compromised so far, cybersecurity experts often warn that exposed personal information such as names and email addresses can still be valuable to cybercriminals. Threat actors frequently use this type of information in phishing campaigns, identity-based scams, and social engineering attacks targeting students, parents, and school employees. The Department of Education has not publicly disclosed how the cybersecurity breach occurred or whether any ransomware or unauthorized network access was involved. Investigations into the incident are ongoing.

Queensland Department Prioritizes Support for Vulnerable Families

In response to the QLearn cybersecurity incident, the Queensland Department of Education said it is prioritizing support for vulnerable individuals and families potentially affected by the breach. According to the Minister’s statement, the Department is providing priority assistance to families and teachers with known family and domestic violence concerns, as well as individuals connected to Child Safety services. The additional support measures appear aimed at reducing potential risks associated with the exposure of school-related location information and contact details. Government agencies increasingly recognize that cybersecurity incidents affecting education systems can carry broader safety implications, especially for vulnerable groups whose personal or location-related information may require additional protection.

Global Education Sector Continues Facing Cybersecurity Threats

The QLearn cybersecurity incident adds to a growing list of cyberattacks and data breaches targeting educational institutions worldwide. Schools, universities, and online learning providers have become frequent targets due to the large amount of personal information they manage and the widespread use of interconnected digital platforms. Education systems often rely on multiple third-party vendors for online learning, communications, and student management services, increasing the potential attack surface for cybercriminals. The Queensland Department of Education said it will continue updating the public as more information becomes available from the ongoing investigation into the breach. At this stage, authorities have not advised affected individuals to reset passwords or take additional security measures, though officials are continuing to assess the full scope and impact of the incident. The investigation into the Instructure-related breach remains active as educational institutions worldwide work to determine the extent of the exposure and any potential long-term cybersecurity implications.

The cybersecurity posture of the U.S. oil and gas sector has come under renewed scrutiny following Operation Epic Fury, with a new independent survey revealing a disconnect between operator confidence and actual operational technology (OT) security capabilities. While companies across the upstream and midstream energy segments have accelerated cybersecurity investments since the February 28 launch of Operation Epic Fury, the findings suggest many organizations may still lack the tools needed to identify real-time cyber threats targeting OT environments.  The independent survey, conducted on behalf of Tosi, examined the views of OT decision makers across U.S. oil and gas operators. The research found that most respondents believe they can detect an active OT cyber breach within 24 hours. However, the same OT decision makers acknowledged relying heavily on systems and processes not specifically designed to monitor OT infrastructure.  According to the survey data, 87 percent of operators rated themselves as confident in their ability to detect an OT breach within a day, assigning their organizations a score of four or five on a five-point confidence scale. Despite that confidence, 51 percent said their detection capabilities primarily depend on IT security tools that provide only limited visibility into OT-specific network traffic.  Another 27 percent of respondents said they would depend on field operators or technicians identifying irregularities manually, while only 16 percent reported using continuous OT monitoring as the primary basis for cyber threat detection. Sakari Suhonen, CEO of Tosi U.S., warned that this gap represents a major vulnerability for the energy sector in the wake of Operation Epic Fury.  “This is the most consequential blind spot in U.S. energy infrastructure right now,” Suhonen said. “The sector has the budget, the executive attention, and the will to act. What it does not yet have is detection that actually sees OT. After Operation Epic Fury, that distinction is the difference between catching an intrusion in hours and finding out about it from a production outage.” 

Operation Epic Fury Drives Rapid OT Security Spending 

The independent survey was fielded in April 2026, approximately six weeks after Operation Epic Fury began. Researchers noted that the speed of the sector’s response has been unusually aggressive compared to previous cybersecurity cycles.  One of the clearest trends identified by OT decision makers involved changing perceptions of cyber risk. Sixty-three percent of surveyed operators said cyber risk is now higher than it was before February 28, with 13 percent describing the increase as significant.  Respondents identified several key factors contributing to elevated risk levels, including growing convergence between IT and OT systems, increased targeting of energy infrastructure by state-sponsored cyber actors, and expanding dependence on third-party remote access technologies.  The independent survey also showed that emergency cybersecurity funding is already being deployed. Ninety-four percent of operators said they had either approved or were actively reviewing unplanned OT security spending linked directly to the post-Operation Epic Fury threat landscape. Among OT decision makers surveyed, 95 percent expect OT cybersecurity budgets to increase over the next 12 months, while one in four anticipated budget growth exceeding 20 percent. 

OT Decision Makers Prioritize Detection and Visibility 

The survey findings indicate that OT decision makers are placing greater emphasis on visibility and detection capabilities rather than traditional perimeter security tools.  When respondents were asked to identify the single most important OT security capability to improve over the next year, 22 percent selected continuous monitoring and anomaly detection. Another 20 percent pointed to OT-specific incident detection and response solutions.  Additional priorities included asset discovery at 15 percent and OT-specific secure remote access at 14 percent. Combined, detection, visibility, and remote access technologies accounted for 71 percent of all named priorities among surveyed OT decision makers.  At the same time, operational disruptions linked to cybersecurity incidents appear widespread throughout the sector. According to the independent survey, 99 out of 100 operators reported experiencing at least one category of cyber incident since February 28.  Ransomware affecting OT-connected systems impacted 48 percent of operators surveyed, while another 48 percent reported precautionary OT shutdowns triggered by incidents originating on the IT side of operations. 

Human Challenges Continue to Slow OT Security Progress 

Despite the increase in cybersecurity spending following Operation Epic Fury, many organizations continue to struggle with internal operational barriers. The independent survey found that 45 percent of operators consider the cultural divide between IT and OT teams to be the single largest obstacle preventing faster cybersecurity improvements. Respondents said IT security personnel often lack the specialized expertise required to secure OT environments effectively.  Operational risk aversion ranked as the second-largest barrier at 28 percent. By contrast, only 11 percent of respondents identified budget constraints as a major challenge, marking a notable change from previous industry research in which financial limitations consistently ranked as the top concern for OT decision makers.  The findings emerge amid continuing warnings from federal authorities regarding Iran-aligned cyber activity targeting Western critical infrastructure after Operation Epic Fury. On April 7, six U.S. federal agencies — including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Energy — issued joint advisory AA26-097A. The advisory confirmed that Iranian-affiliated threat actors were actively disrupting programmable logic controllers across U.S. energy, water, and government sectors, resulting in operational disruptions and financial losses.  The Railroad Commission of Texas later issued a parallel warning to operators on April 10. According to Tosi, the independent survey represents the first dataset quantifying how the oil and gas sector itself is responding to the cybersecurity environment created by Operation Epic Fury. Suhonen said the industry’s next decisions regarding OT security investments will determine whether organizations close existing detection gaps or reinforce systems that remain ineffective for OT environments.  “The next twelve months will see oil and gas spend more on OT security than in the previous several years combined,” Suhonen said. “That spend will land in one of two places. It will close the detection gap with OT-native monitoring, asset visibility, and purpose-built secure remote access. Or it will deepen the IT-tool stack that operators have already told us they cannot see what they need it to see. The data is unambiguous about which path the market needs to take.” 

A recently disclosed set of vulnerabilities in Salesforce Marketing Cloud, widely known as SFMC, has drawn attention to the security risks tied to centralized marketing infrastructure.   The flaws, which affected components tied to AMPScript, CloudPages, and email-rendering workflows, could have enabled attackers to access subscriber information, enumerate marketing emails, and potentially affect organizations across multiple tenants.  Security researchers found that weaknesses in SFMC’s templating engine and cryptographic implementation introduced opportunities for unauthorized data access across customer environments. 

AMPScript and SFMC Template Injection Risks 

Modern enterprises rely heavily on Salesforce Marketing Cloud to manage large-scale marketing campaigns, personalized customer journeys, and trackable email communications. The platform, formerly known as ExactTarget, supports dynamic content generation through technologies such as AMPScript, Server-Side JavaScript (SSJS), and internal data views connected to large subscriber databases.  While these features provide flexibility for marketers, researchers noted that they also increase the impact of any underlying vulnerability. One of the major concerns centered on SFMC’s server-side templating framework.  AMPScript and SSJS allow organizations to dynamically insert subscriber attributes such as names, email addresses, and engagement metrics directly into marketing content. However, functions like TreatAsContent introduced a dangerous behavior because they effectively evaluate user-controlled input as executable template code. Researchers explained that if attacker-controlled data was passed into these functions, it could trigger template injection inside Salesforce Marketing Cloud environments.  The issue became more severe because SFMC historically supported AMPScript execution within email subject lines. According to the findings, legacy behavior caused subject templates to be evaluated twice by default. That design opened the door for payload execution during the second rendering stage. Researchers demonstrated the risk using the following payload inside a name field:  %%=RowCount(LookupRows("_Subscribers","SubscriberKey",_subscriberkey))=%%  If processed during the second evaluation phase, the payload could execute successfully and create a reliable injection point inside the marketing workflow.  Once template execution was achieved, attackers could potentially use built-in SFMC functions such as LookupRows to query internal Data Views, including: 

• _Subscribers  
• _Sent  
• _Job  
• _SMSMessageTracking  
• _Click  

Access to these views could expose subscriber lists, email delivery records, engagement metrics, and message history associated with affected Salesforce Marketing Cloud tenants. 

CloudPages and “View Email in Browser” Vulnerability

Researchers identified an even more serious vulnerability tied to SFMC’s “view email in browser” functionality and CloudPages infrastructure. Many Salesforce customers configure branded domains such as view.example.com or pages.example.com that route back to shared SFMC infrastructure. These links typically rely on an encrypted qs parameter containing tenant and message-specific information. According to researchers from Searchlight Cyber, the older “classic” qs implementation used unauthenticated CBC encryption. The researchers found that the implementation behaved as a padding oracle, which made it possible to decrypt and re-encrypt query string parameters under certain conditions. Initially, the researchers abused the weakness using the Padre tool before later improving the process through the AMPScript MicrositeURL function.  This allowed them to forge valid QS values and access workflows such as “Forward to a Friend,” which could resolve subscriber identifiers into actual email addresses.  One of the most concerning aspects of the vulnerability was SFMC’s use of a single static encryption key shared across tenants. Researchers stated that once the cryptographic structure became understood, attackers could theoretically enumerate subscribers and access email content across multiple organizations using the same mechanism.

Legacy Encryption Weaknesses Expanded the Attack Surface 

The researchers also uncovered an older URL format that relied on per-parameter “encryption.” However, the mechanism reportedly consisted of a repeating static XOR key combined with a checksum. Although the scheme was considered legacy functionality, researchers found that it still worked on modern SFMC tenants. Because the implementation lacked strong cryptographic protections, attackers could decrypt and enumerate parameters such as JobID and ListSubscriber at high speed without relying on the slower padding-oracle technique.  The findings highlighted how legacy systems inside large cloud platforms can continue to create security exposure long after newer protections are introduced. 

Impact of the Salesforce Marketing Cloud Vulnerability 

Researchers concluded that the combined vulnerabilities could have enabled attackers to: 

• Enumerate and exfiltrate subscriber records  
• Access sent marketing emails and engagement data  
• Forge cross-tenant QS tokens  
• Access emails belonging to other organizations  
• Exploit hard-coded cryptographic material  
• Abuse argument-injection flaws tied to the MicrositeURL function  
• Manipulate CloudPages and other SFMC web workflows  

To address the issues, Salesforce assigned multiple CVEs covering several root causes, including insecure cryptographic implementations, hard-coded keys, and argument injection vulnerabilities affecting MicrositeURL and CloudPages components.  According to Salesforce, the vulnerabilities were reported on 16 January 2026. Mitigations were deployed between 21 January and 24 January 2026. The company stated that it had identified no confirmed malicious exploitation at the time of disclosure.  As part of the remediation process, Salesforce migrated Marketing Cloud Engagement encryption to AES-GCM, rotated encryption keys, and disabled the double evaluation behavior tied to AMPScript subject-line rendering.  The company also invalidated all legacy tracking and CloudPages links created before 21 January 2026 at 23:00 UTC. Those links expired globally on 23 January 2026 at 21:00 UTC. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new initiative called “CI Fortify” aimed at helping critical infrastructure operators prepare for disruptive cyberattacks linked to geopolitical conflicts. The initiative comes amid growing concerns over nation-state cyber threats targeting operational technology (OT) systems that support essential services across the United States. The CI Fortify initiative focuses on improving critical infrastructure resilience through two key objectives: isolation and recovery. CISA said the effort is designed to help operators maintain essential operations even if adversaries compromise telecommunications networks, internet services, or industrial control systems. According to the agency, nation-state actors are no longer limiting their activities to espionage. Instead, threat groups have increasingly been pre-positioning themselves inside critical infrastructure environments to potentially disrupt or destroy systems during future geopolitical conflicts.

CI Fortify Initiative Focuses on Isolation and Recovery

Under the CI Fortify initiative, CISA is urging critical infrastructure organizations to assume that third-party communications and service providers may become unreliable during a crisis. Operators are also being asked to plan under the assumption that threat actors may already have some level of access to OT networks. Nick Andersen, Acting Director at CISA, emphasized the need for organizations to prepare for worst-case operational scenarios. “In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering, at a minimum, crucial services,” Andersen said. “They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.” The isolation strategy outlined under CI Fortify involves proactively disconnecting operational technology systems from external business networks and third-party connections. CISA said this approach is intended to prevent cyber impacts from spreading into OT environments while allowing organizations to continue delivering essential services in a degraded communications environment. The agency advised operators to identify critical customers, including military infrastructure and other lifeline services, and determine the minimum operational capabilities needed to support them during emergencies. CISA also recommended updating engineering processes and business continuity plans to support safe operations for extended periods while systems remain isolated.

Recovery Planning Central to Critical Infrastructure Resilience

Alongside isolation, the CI Fortify initiative places strong emphasis on recovery planning. CISA urged operators to maintain updated system documentation, create secure backups of critical files, and regularly practice system replacement or manual operational transitions. The agency noted that organizations should also identify communications dependencies that could complicate recovery efforts, such as licensing servers, remote vendor access, or upstream network connections. CISA encouraged operators to work closely with managed service providers, system integrators, and vendors to understand potential failure points and establish alternative recovery pathways. The initiative also highlights broader benefits of emergency planning beyond cybersecurity incidents. According to CISA, the same planning processes can help organizations maintain operations during weather-related disruptions, equipment failures, and safety emergencies. The agency said isolation planning can help cut off command-and-control access to compromised systems, while strong recovery preparation can reduce incident response costs and shorten recovery timelines.

Security Vendors and Service Providers Asked to Support CI Fortify

The CI Fortify initiative extends beyond infrastructure operators and calls on cybersecurity vendors, industrial automation suppliers, and managed service providers to support resilience planning efforts. Industrial control system vendors are being encouraged to identify barriers that could interfere with isolation and recovery procedures, including licensing restrictions and server dependency issues. Managed service providers and integrators are expected to assist organizations in engineering updates, local backup collection, and recovery documentation planning. Meanwhile, security vendors are being asked to support threat monitoring and provide intelligence if nation-state actors shift from espionage-focused activity to destructive cyber operations. CISA also requested vendors share information related to tactics that could undermine recovery or bypass isolation protections, including malicious firmware updates and vulnerabilities affecting software-based data diodes.

Volt Typhoon Cyberattacks Continue to Shape U.S. Cybersecurity Strategy

The launch of CI Fortify is closely tied to ongoing concerns surrounding the Volt Typhoon cyberattacks, which U.S. officials have linked to Chinese state-sponsored threat actors. CISA’s initiative specifically references the Volt Typhoon campaign as an example of how adversaries have attempted to establish long-term access inside U.S. critical infrastructure systems to potentially support disruptive actions during military conflicts. The Volt Typhoon operation first became public in 2023, when U.S. authorities revealed that Chinese hackers had infiltrated multiple sectors of American critical infrastructure. Former CISA Director Jen Easterly stated in 2024 that the agency had identified and removed Volt Typhoon intrusions across several sectors. She later reiterated in 2025 that efforts continued to focus on identifying and evicting Chinese cyber actors from critical infrastructure environments. Despite these operations, cybersecurity researchers and some government officials have warned that Chinese threat actors may still retain access to portions of critical infrastructure networks. Several experts have argued that nation-state groups remain deeply embedded in certain environments despite years of remediation efforts. With the CI Fortify initiative, CISA appears to be shifting focus toward operational resilience, recognizing that prevention alone may not be sufficient against sophisticated nation-state cyber threats targeting U.S. critical infrastructure.

A newly disclosed cybersecurity issue, tracked as CVE-2026-0300, has drawn urgent attention due to its critical severity and active exploitation. The flaw affects PAN-OS, the operating system used in Palo Alto Networks firewalls, and has been categorized as a buffer overflow vulnerability with serious implications for enterprise security environments.  The CVE-2026-0300 PAN-OS vulnerability was officially published on May 6, 2026, and updated the same day after being discovered in real-world production environments. It carries a CVSS score of 9.3, placing it firmly in the “critical” category. The issue stems from a buffer overflow vulnerability in the User-ID Authentication Portal, also known as the Captive Portal service, within PAN-OS.  This flaw allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted network packets. Because the attack requires no authentication, no user interaction, and can be carried out over the network with low complexity, the exposure risk is considered extremely high. 

Technical Details of the Buffer Overflow Vulnerability in PAN-OS 

The root cause of CVE-2026-0300 PAN-OS is classified under CWE-787: Out-of-bounds Write, a common but dangerous type of buffer overflow vulnerability. Attackers can exploit this flaw to overwrite memory and potentially take full control of affected systems.  The vulnerability impacts PA-Series and VM-Series firewalls when the User-ID™ Authentication Portal is enabled. Importantly, Prisma Access, Cloud NGFW, and Panorama appliances are not affected.  Security data associated with the vulnerability highlights the following: 

• Attack Vector: Network  
• Attack Complexity: Low  
• Privileges Required: None  
• User Interaction: None  
• Confidentiality, Integrity, Availability Impact: High  

Additionally, the vulnerability is automatable and has already reached the “ATTACKED” stage in exploit maturity, indicating that real-world attacks have been observed. 

Active Exploitation and Risk Factors 

Evidence shows limited exploitation of CVE-2026-0300 PAN-OS, particularly targeting systems where the User-ID Authentication Portal is exposed to untrusted networks or the public internet. Environments that allow external access to this portal face the highest level of risk. The severity is further highlighted by the CVSS vector:  CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H  This translates to a scenario where attackers can remotely compromise systems without needing credentials or user involvement, leveraging the buffer overflow vulnerability to gain root-level access. 

Affected and Unaffected Versions 

Multiple versions of PAN-OS are impacted by CVE-2026-0300, including: 

• PAN-OS 12.1 versions prior to 12.1.4-h5 and 12.1.7  
• PAN-OS 11.2 versions prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12  
• PAN-OS 11.1 versions prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15  
• PAN-OS 10.2 versions prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6  

Patches are scheduled with estimated availability dates ranging from May 13 to May 28, 2026. Cloud NGFW and Prisma Access deployments remain unaffected. 

Mitigation and Workarounds 

While patches are being rolled out, organizations are advised to take immediate steps to reduce exposure to the buffer overflow vulnerability in PAN-OS.  Recommended mitigations include: 

• Restricting access to the User-ID Authentication Portal to trusted internal IP addresses only  
• Preventing any exposure of the portal to the public internet  
• Disabling the User-ID Authentication Portal entirely if it is not required  

The risk associated with CVE-2026-0300 PAN-OS drops significantly when these best practices are implemented. Systems that already follow strict network segmentation and access control policies are at a much lower risk. 

The collaboration between the Unique Identification Authority of India and the National Forensic Sciences University marks a significant development in India's security landscape and digital forensics. In a move aimed at strengthening the country’s digital infrastructure, UIDAI and NFSU have formalized a five-year partnership to advance research, training, and operational capabilities in cybersecurity and digital forensics. 

According to an official statement, UIDAI and NFSU have established a structured collaboration designed to address emerging challenges in cybersecurity and digital forensics.

UIDAI and NFSU Join Forces on Cybersecurity and Digital Forensics

The agreement, announced on May 5 in Ahmedabad, provides a comprehensive framework to bring together expertise from both institutions. It is intended to reinforce cyber resilience across UIDAI’s systems, which form the backbone of India’s digital identity ecosystem.  The Ministry of Electronics and Information Technology highlighted that this partnership creates an umbrella structure for coordinated efforts in research, technical development, and capacity building. The initiative underscores the growing importance of cybersecurity and digital forensics as critical components of national digital infrastructure. 

Six Strategic Pillars Driving UIDAI and NFSU Collaboration 

The UIDAI and NFSU partnership is structured around six key pillars, each targeting specific aspects of cybersecurity and digital forensics. These include academic and professional development, aimed at building skilled talent in the field, as well as strengthening information security and system integrity within UIDAI’s ecosystem.  Another major focus area is the development of advanced forensic infrastructure and laboratory capabilities. This will support deeper investigation and analysis of cyber incidents. Additionally, the agreement outlines provisions for technical support in cybersecurity operations, ensuring that UIDAI benefits from NFSU’s specialized expertise.  The collaboration also emphasizes joint research and technical advisory in emerging technologies. Areas such as artificial intelligence, blockchain, cryptography, and deepfake detection are expected to play a central role. The sixth pillar focuses on strategic placement and outreach, creating pathways for NFSU students to gain hands-on experience and career opportunities within UIDAI-related projects. 

Strengthening India’s Digital Backbone

India’s digital identity framework, powered by UIDAI, requires continuous upgrades to counter evolving cyber threats. The UIDAI and NFSU partnership aims to address this need by integrating advanced cybersecurity and digital forensics practices into the system’s core operations. UIDAI Chief Executive Officer Vivek Chandra Verma described the agreement as a crucial step toward enhancing the security architecture of India’s digital public infrastructure. He stated that the collaboration will significantly improve forensic readiness and resilience, ensuring stronger protection against cyber risks. The signing ceremony was attended by senior officials from both institutions, including Deputy Director General Abhishek Kumar Singh and NFSU Gujarat Campus Director S. O. Junare. Their presence highlighted the institutional commitment to advancing cybersecurity and digital forensics through sustained collaboration. 

Expanding Access While Enhancing Security 

Alongside this partnership, UIDAI has also taken steps to improve accessibility to its services. Collaborations with digital platforms like MapmyIndia and Google now allow users to locate authorized Aadhaar centers more easily. These platforms provide information on available services, operating hours, and accessibility features. While these initiatives focus on user convenience, they also align with the broader objective of strengthening the integrity of India’s digital identity system. By combining improved accessibility with robust cybersecurity and digital forensics measures, UIDAI aims to maintain trust in its infrastructure.

Australia has announced the creation of a Cyber Incident Review Board, a move aimed at strengthening the country’s ability to respond to and learn from major cyberattacks. The initiative places Australia among a small group of jurisdictions globally that have formalised independent review mechanisms to assess significant cyber incidents and improve long-term resilience. The Cyber Incident Review Board will conduct no-fault, post-incident reviews of major cybersecurity events affecting both government and private sector organisations. Rather than assigning blame, the board’s mandate is to identify systemic gaps and generate actionable recommendations to improve how Australia prevents, detects and responds to cyber threats. Established under the Cyber Security Act 2024, the board is a central element of the government’s 2023-2030 Australian Cyber Security Strategy. The broader goal is to position Australia as one of the most cyber secure nations by the end of the decade, supported by resilient infrastructure, prepared communities and stronger industry practices. Officials said the Cyber Incident Review Board will focus on extracting lessons from incidents and translating them into practical steps that can reduce the likelihood and impact of future attacks.

Cyber Incident Review Board Brings Leaders From Cross-Sector 

The government has appointed a panel of senior cybersecurity and industry leaders to the Cyber Incident Review Board. The board will be chaired by Narelle Devine, Global Chief Information Security Officer at Telstra. Other members include Debi Ashenden of the University of New South Wales, Valeska Bloch from Allens, Jessica Burleigh of Boeing Australia, Darren Kane from NBN Co, Berin Lautenbach of Toll Group and Nathan Morelli from SA Power Networks. The group brings experience across cybersecurity operations, legal frameworks, governance, national security and critical infrastructure. Authorities said this mix is designed to ensure independent, credible advice that reflects both technical and policy realities.

Government Emphasises Learning Over Blame

Australia’s Minister for Cyber Security Tony Burke said the Cyber Incident Review Board will play a key role in ensuring continuous improvement in national cyber defence. “We know that cyber attacks are constant. This guarantees we learn from every attack and keep increasing our resilience,” Burke said in a statement. He added that the board will examine major cybersecurity incidents, develop findings and provide recommendations that can be applied across sectors. The no-fault model is intended to encourage cooperation from affected organisations, while still producing insights that can benefit the wider ecosystem.

Response Shaped by Recent High-Profile Cyberattacks

The creation of the Cyber Incident Review Board follows a series of major cyber incidents in Australia, including breaches involving health insurer Medibank and telecom provider Optus. These events exposed sensitive customer data and triggered widespread public concern, increasing pressure on the government to strengthen cybersecurity oversight. By introducing structured post-incident reviews, authorities aim to ensure that lessons from such breaches are not lost and can inform future preparedness efforts.

How Australia’s Approach Compares Globally

Australia’s Cyber Incident Review Board aligns with similar efforts internationally but includes some distinct features. The European Union has established a comparable mechanism under its Cyber Solidarity Act, tasking the EU Agency for Cybersecurity with reviewing significant cross-border incidents. However, that framework has yet to be tested in practice. In the United States, a cyber safety review board has already examined several incidents, including a high-profile breach involving Microsoft. That report pointed to avoidable security failures and called for cultural and leadership changes within the company, prompting CEO Satya Nadella to prioritise security across operations. However, earlier U.S. reviews, such as those into the Log4j vulnerability and the Lapsus$ group, were criticised for lacking focus and impact. Analysts noted that broader, less targeted reviews made it harder to drive accountability or meaningful change.

Stronger Powers to Ensure Participation

One notable difference in Australia’s model is its ability to compel organisations to provide information if they decline to participate voluntarily. This marks a shift from the U.S. approach, which relied on cooperation from affected entities. Experts have argued that such powers could improve the depth and accuracy of findings, ensuring that the Cyber Incident Review Board has access to critical data when analysing incidents. At the same time, the framework stops short of allowing flexible expansion of board membership for specialised cases, an idea that has been suggested in international policy discussions.

Focus on Long-Term Cyber Preparedness

The Cyber Incident Review Board is expected to become a key mechanism in shaping Australia’s cybersecurity posture over the coming years. By systematically reviewing incidents and sharing lessons across sectors, the government hopes to build a more coordinated and resilient defence against evolving cyber threats. With cyberattacks continuing to target critical infrastructure, businesses and public services, the success of the Cyber Incident Review Board will likely depend on its ability to translate insights into measurable improvements across the national ecosystem.

In the span of four days, the U.S. government announced two parallel sets of agreements with frontier AI companies that together define the two tracks Washington wants to run simultaneously—test AI for national security risks before the public ever sees it, and deploy AI directly on the military's most classified networks.

The Center for AI Standards and Innovation — CAISI, the entity under the Department of Commerce's National Institute of Standards and Technology that inherited the remit of the former AI Safety Institute — announced new agreements with Google DeepMind, Microsoft, and Elon Musk's xAI. These build on renegotiated agreements with Anthropic and OpenAI that date to 2024, updated to reflect directives from Commerce Secretary Howard Lutnick and America's AI Action Plan.

Under the CAISI agreements, the three companies will hand over their frontier AI models to government evaluators before those models are publicly released. The evaluations probe for national security-relevant capabilities and risks.

To conduct a thorough assessment, developers frequently provide CAISI with models that have reduced or removed safety guardrails — a design choice that allows evaluators to probe what a model can do at its ceiling, not what it will do under commercial safety controls. Evaluators from across the federal government participate, coordinated through the CAISI-convened TRAINS Taskforce, an interagency body focused specifically on AI national security concerns.

CAISI said it has completed more than 40 such evaluations to date. The agreements explicitly support testing in classified environments and were drafted with the flexibility to adapt rapidly as AI capabilities continue advancing.

"Independent, rigorous measurement science is essential to understanding frontier AI and its national security implications," said CAISI Director Chris Fall. "These expanded industry collaborations help us scale our work in the public interest at a critical moment."

Listen to: Charting the AI Frontier in Cybersecurity with Ryan Davis

Fall was appointed to lead CAISI after Collin Burns — a former Anthropic researcher — was reportedly removed from the director role after just four days. The personnel transition at CAISI's top reflects a broader institutional pivot. Under the Biden administration, the AI Safety Institute focused on safety standards, definitions, and voluntary guardrails. Under Trump, CAISI has shifted its emphasis toward AI acceleration and national security capability assessment. The substance of what the evaluators do — probe powerful models before release — has not changed. The framing of why they do it has.

The latest announcement comes four days after the Department of War (formerly Department of Defense) announced agreements with eight frontier AI companies to deploy their models directly on the military's classified networks for operational use.

The companies cleared are SpaceX, OpenAI, Google, NVIDIA, Reflection, Microsoft, Amazon Web Services, and Oracle. The networks in question are classified at Impact Level 6, covering secret-level data, and Impact Level 7, which refers to the most highly restricted national-security systems. The stated objectives are data synthesis, situational awareness enhancement, and warfighter decision support.

The Department of War announcement carries one conspicuous absence that dominates coverage of what it actually means. Anthropic is not on the list. The company that first deployed AI models on Pentagon classified systems — via a Palantir integration under the Maven Smart System contract — is excluded after a dispute over the guardrails governing military and surveillance use of its AI.

Also read: Australia Establishes AI Safety Institute to Combat Emerging Threats from Frontier AI Systems

The Pentagon had previously branded Anthropic a "supply chain risk," a designation typically reserved for foreign entities posing national security concerns. A March 2026 federal injunction reversed that designation, but it did not restore Anthropic's position as a Pentagon AI vendor. Palantir has pulled its Claude models from its DoD platforms accordingly.

The exclusion has strategic implications that extend beyond one company's contract status. Anthropic's recently released Mythos model — described by Treasury Secretary Scott Bessent as representing a step change in large language model capability — has generated significant attention from U.S. officials and financial sector executives about its potential to supercharge adversarial cyber operations.

The fact that Mythos is not among the models being assessed for classified military use, while simultaneously being cited by senior officials as a capability milestone that warrants concern, creates a gap in the government's stated AI security posture that is difficult to characterize as anything other than a policy contradiction.

Attackers have found a way to intercept SMS-based one-time passwords from a victim's mobile device without deploying a single line of malware on the phone itself. Instead, they go through the Windows PC the phone is already connected to.

Researchers documented an active intrusion campaign active since at least January 2026, that combines a remote access trojan called "CloudZ" with a previously undocumented plugin named "Pheno." Together the two tools are designed to steal credentials and harvest authentication codes that arrive on a victim's phone by abusing Microsoft Phone Link, a legitimate Windows application built into every Windows 10 and 11 system.

Microsoft Phone Link, formerly "Your Phone," is a synchronization tool that bridges a user's Android or iOS device to their Windows PC, mirroring calls, messages, and app notifications directly onto the desktop.

Pheno exploits that bridge. It continuously scans running processes for keywords including "YourPhone," "PhoneExperienceHost," and "Link to Windows" to detect an active phone connection. When one is found, the plugin writes "Maybe connected" to a local staging file and gains access to the Phone Link application's local SQLite database. It is a file that can contain SMS messages and authenticator app notification content, including OTP codes.

The attack never targets the mobile device directly. It targets the enterprise-managed Windows endpoint the device trusts, bypassing security controls focused on securing smartphones rather than the desktop layer they sync with.

Also read: Infostealers and Lack of MFA Led to Dozens of Major Breaches

CloudZ is a modular .NET RAT compiled on January 13, and obfuscated with ConfuserEx. Beyond loading Pheno, it supports credential harvesting from web browsers, file operations, remote command execution, and host profiling.

It establishes an encrypted TCP connection to its command-and-control server and rotates between three hardcoded user-agent strings to make its traffic blend with legitimate browser requests. To evade analysis, CloudZ detects .NET debuggers and profilers via environment variable queries and generates its executable functions dynamically in memory — meaning the most sensitive code never sits as a static binary on disk.

The infection chain begins with a fake ScreenConnect application update. ScreenConnect is a legitimate remote support tool commonly used in enterprise environments. Executing the fake update drops a Rust-compiled loader, which in turn deploys a .NET loader that installs CloudZ and establishes persistence via a scheduled task. The .NET loader performs thorough sandbox checks, scanning for analysis tools including Wireshark, Fiddler, Procmon, and Sysmon before proceeding.

Cisco Talos researchers did not attribute the campaign to a known threat actor. The initial access vector also remains unidentified.

A ransomware organization sentencing has brought one of the key operatives behind a major cybercrime group to justice, highlighting the global reach of law enforcement in tackling ransomware attacks. A Latvian national, Deniss Zolotarjovs, has been sentenced to 102 months in prison for his role in a Russian-linked ransomware organization responsible for targeting more than 54 companies worldwide. The sentencing marks a significant development in ongoing efforts to dismantle international ransomware networks. According to the U.S. Department of Justice, Zolotarjovs played a central role in extortion operations carried out between June 2021 and August 2023. The group operated under multiple ransomware brands, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, reflecting a complex and evolving cybercrime structure.

Ransomware Organization Sentencing: Role in Extortion and Data Exploitation

Officials said Zolotarjovs was primarily responsible for increasing pressure on victims who hesitated to pay ransom demands. He analyzed stolen data and used sensitive information to intensify extortion tactics. In one case involving a pediatric healthcare provider, Zolotarjovs used children’s health information to pressure the organization into paying. When the ransom demand was not met, he allegedly encouraged co-conspirators to leak or sell the data. Court documents reveal he distributed a bulk set of sensitive records to hundreds of patients, aiming to amplify fear and force compliance. Assistant Attorney General A. Tysen Duva described Zolotarjovs as a “cruel, ruthless, and dangerous international cybercriminal,” noting that his actions included exploiting highly personal data to increase leverage over victims.

Financial and Operational Impact of Attacks

The ransomware organization’s activities caused widespread damage. Of the more than 54 targeted companies, attacks on 13 resulted in losses exceeding $56 million, including approximately $2.8 million paid in ransom. An additional 41 companies are believed to have paid around $13 million, though detailed loss figures are still being compiled. Authorities estimate that the total financial impact could reach hundreds of millions of dollars when factoring in underreported incidents. Beyond financial losses, the attacks led to the exposure of highly sensitive data, including Social Security numbers, addresses, dates of birth, and healthcare records. In one instance, a government entity’s 911 emergency system was forced offline, raising serious concerns about public safety and the broader consequences of ransomware attacks.

Organized Structure and Global Operations

Investigators found that the ransomware organization operated with a structured hierarchy and used a network of companies across Russia, Europe, and the United States to mask its activities. Members were largely based in Russia and reportedly operated from an office in St. Petersburg. The group’s operations also involved corruption and misuse of public resources. Authorities said some members had ties to former Russian law enforcement, allowing them to access databases, intimidate individuals, and identify potential recruits. These connections also enabled members to avoid scrutiny, including evading taxes and military service through bribes.

Arrest, Extradition, and Prosecution

Zolotarjovs was arrested in Georgia in December 2023 and later extradited to the United States in August 2024 after contesting the process. In July 2025, he pleaded guilty to conspiracy charges involving money laundering and wire fraud. The case was investigated by the Federal Bureau of Investigation, with support from multiple field offices and international partners. Special Agent in Charge Jason Cromartie said the case reflects the agency’s continued efforts to track down cybercriminals operating across borders. U.S. Attorney Dominick S. Gerace II added that the prosecution demonstrates that cybercriminals cannot rely on geography or anonymity to evade justice.

Continued Focus on Ransomware Threats

The ransomware organization sentencing highlight the scale and persistence of ransomware threats targeting businesses and public services. Authorities said investigations into related actors and networks remain ongoing as part of broader efforts to disrupt global cybercrime operations.

A Canvas cybersecurity incident has disrupted services at Instructure, the company behind the widely used Canvas platform, raising concerns among educational institutions over potential data exposure and service interruptions. The Canvas cybersecurity incident first came to light late Friday, when Instructure disclosed that it had detected unauthorized activity linked to a cyberattack. The company said it immediately launched an investigation with the support of external forensic experts to determine the scope and impact. By Saturday, Chief Information Security Officer Steve Proud confirmed that attackers had gained access to certain user data from some institutions. The exposed information includes names, email addresses, student identification numbers, and messages exchanged within the platform. Proud emphasized that the incident has been contained. He added that the response involved revoking privileged credentials and access tokens, deploying security patches, and increasing system-wide monitoring. However, some of these defensive measures led to temporary disruptions in services, particularly tools dependent on API keys.

Canvas Cybersecurity Incident: No Financial or Sensitive Identity Data Compromised

Despite the data breach, Instructure stated that there is currently no evidence that highly sensitive data such as passwords, financial information, government identifiers, or dates of birth were accessed. The company noted it will notify affected institutions if any new findings emerge. Canvas is used extensively by schools, universities, and enterprises to manage coursework, host educational content, and facilitate communication between students and educators. The scale of its usage has amplified concerns around the potential reach of the incident.

ShinyHunters Claims Large-Scale Data Theft

The cybercriminal group ShinyHunters claimed responsibility for the attack on Sunday, alleging it had stolen 3.6 terabytes of data affecting more than 9,000 schools. These claims have not been independently verified, and Instructure has not publicly responded to the group’s assertions. [caption id="attachment_111847" align="aligncenter" width="657"] Source: X[/caption] Such claims, if validated, could significantly expand the scope of the Canvas cybersecurity incident beyond initial disclosures. For now, the company maintains that its investigation is ongoing.

Ongoing Maintenance and Service Restoration Efforts

Instructure has been providing regular updates as it works to stabilize systems affected by the Canvas cybersecurity incident. As of May 5, Canvas Data 2 and Beta services have largely been restored, while the Test environment remains under maintenance. Earlier updates indicated that some users experienced disruptions due to reissued application keys, a precautionary measure taken to enhance security. Users were required to re-authorize access to certain tools, with updated keys identifiable by timestamps. The company also confirmed that it rotated certain keys even without evidence of misuse, reflecting a cautious approach to securing its infrastructure.

Continued Monitoring as Investigation Proceeds

The investigation into the Canvas cybersecurity incident remains active, with Instructure continuing to monitor its systems and assess potential risks. The company has reiterated its commitment to transparency and stated that updates will be shared as new information becomes available. For institutions relying on Canvas, the incident highlights the operational impact of cybersecurity threats on critical education platforms. While services are gradually being restored, the focus now shifts to understanding the full extent of the breach and preventing similar incidents in the future.

It is always a bit jarring when the "digital locksmiths" are the ones getting their locks picked. Cybersecurity firm Trellix on Saturday confirmed it suffered a breach involving its internal source code repositories, proving that even the defenders aren't immune to the threats they fight.

The Incident

On May 2, Trellix released a statement confirming that unauthorized parties had gained access to sections of their internal code. Upon discovering the intrusion, the company initiated a standard response protocol. They hired external security experts to map the extent of the breach and informed relevant authorities immediately.

Trellix maintains that there is no evidence their software distribution channels were compromised or that any leaked code has been used in active attacks.

While the "all clear" on product safety is a relief, several questions remain. Trellix has yet to identify the threat actors, the duration of the unauthorized access, or the specific volume of data stolen.

Also read: Russia’s Digital Military Draft System Hit by Cyberattack, Source Code Leaked

The High Stakes of Security Code

A breach at a firm like Trellix—born from the merger of McAfee Enterprise and FireEye—carries more weight than a standard data leak. Because Trellix provides Endpoint Detection and Response (EDR) and XDR services to governments and global banks, their source code is a roadmap for attackers.

Why Source Code is a Target:

1. Vulnerability Research: Having the code allows hackers to hunt for "zero-day" flaws without having to guess how the software works.

2. Supply Chain Risk: If an attacker can inject malicious code into a trusted update, they can compromise thousands of customers at once.

3. Bypassing Defenses: Knowing how a security tool "thinks" makes it much easier for malware to stay invisible.

A Growing Trend in Tech

Trellix is far from the first titan to be targeted. They join a list of major players like Microsoft, Okta, and LastPass, all of whom have dealt with source code theft in recent years. This pattern suggests that sophisticated actors (whether cybercriminals or nation-states) are increasingly focused on the "keys to the kingdom."

For now, there isn't a "fire drill" for Trellix users. Since there is no proof of tampered software, the immediate risk remains low. Trellix has promised to be transparent as their investigation concludes. Until then, the industry is left waiting to see if this was a simple smash-and-grab or the opening move of a much larger campaign.

When governments introduced stricter online age checks under the UK’s Online Safety Act, the goal was to keep children away from harmful content. But in practice, the system is already showing cracks—and the most telling insight comes from the very users it’s meant to protect.

Children aren’t just countering age checks, they’re actively bypassing them—and often with surprising ease.

According to a new report from Internet Matters foundation, nearly half of children (46%) believe age verification systems are easy to get around, while only 17% think they are difficult. That perception isn’t theoretical. It’s grounded in real behavior, shared knowledge, and increasingly creative workarounds.

From simply entering a fake birthdate to using someone else’s ID, children have developed a toolkit to bypass techniques. Some methods are almost trivial—changing a date of birth or borrowing a parent’s login—while others reflect a growing sophistication. Kids reported submitting altered images, using AI-generated faces, or even drawing facial hair on themselves to trick facial recognition systems.

In one striking example, a parent described catching their child using makeup to appear older—successfully fooling the system.

I did catch my son using an eyebrow pencil to draw a moustache on his face, and it verified him as 15 years old. – Mum of boy, 12

But the problem goes deeper than perception. It’s systemic.

Also read: UK Regulator Ofcom Launches Probe into Telegram, Teen Chat Platforms

Bypassing Is the Norm, Not the Exception

The report reveals that nearly one in three children (32%) admitted to bypassing age restrictions in just the past two months. Older children are even more likely to do so, which shows how digital literacy often translates into evasion capability.

The most common methods?

• Entering a fake birthdate (13%)
• Using someone else’s login credentials (9%)
• Accessing platforms via another person’s device (8%)

Despite widespread concerns about VPNs, they play a relatively minor role. Only 7% of children reported using them to bypass restrictions, suggesting that simpler, low-effort tactics remain the preferred route.

In other words, the barrier to entry is not just low—it’s practically optional.

Europe’s cyber threat landscape Q1 2026 shows a sharp acceleration in cyber threats across the region. Do you know what's contributing to it?

Check Cyble's full analysis report here!

Even When It Works, It Doesn’t Work

Ironically, even when children attempt to follow the rules, the technology doesn’t always cooperate.

Some reported being incorrectly identified as older—or younger—by facial recognition systems. In cases where they were flagged as underage, enforcement was often inconsistent or temporary. One child described being blocked from going live on a platform for just 10 minutes before being allowed to try again.

This inconsistency creates a loophole where persistence pays. If at first you’re denied, simply try again.

A Risky Side Effect

Perhaps the most concerning finding isn’t that children can bypass age checks—it’s that adults can too.

The report states fears that adults may exploit these same weaknesses to access spaces intended for younger users. In some cases, this involves using images or videos of children to trick verification systems. There are even reports of adults acquiring child-registered accounts to blend into youth platforms.

This flips the entire premise of age verification on its head. Instead of protecting children, flawed systems may inadvertently expose them to greater risk.

Parents, Part of the Problem—or the Solution?

Adding another layer of complexity, parents themselves are sometimes complicit.

About 26% of parents admitted to allowing their children to bypass age checks, with 17% actively helping them do so. The reasoning is often pragmatic. Parents feel they understand the risks and trust their child’s judgment.

I have helped my son get around them. It was to play a game, and I knew the game, and I was happy and confident that I was fine with him playing it. – Mum of non-binary child, 13

But this undermines the consistency of enforcement. If rules vary from household to household, platform-level protections lose their impact.

Interestingly, the data also suggests that communication matters. Children who regularly discuss their online activity with parents are less likely to bypass restrictions than those who don’t.

Why Kids Are Bypassing in the First Place

The motivations aren’t always malicious. In many cases, children are simply trying to access social media (34%), gaming communities (30%), or messaging apps (29%) that their peers are already using.

What this resonate is a fundamental tension where age verification systems are trying to enforce boundaries in environments where social participation is the norm.

Age verification is often positioned as a cornerstone of online safety. But in practice, it’s proving to be more of a speed bump than a safeguard.

Children understand the systems. They share methods. They adapt quickly. And until the technology—and its enforcement—becomes significantly more robust, age checks may offer more reassurance than real protection.

The Federal Bureau of Investigation (FBI) has issued a public warning over a sharp rise in cyber-enabled cargo theft, as threat actors increasingly use digital tactics to impersonate legitimate businesses, hijack freight, and steal high-value shipments. According to the FBI, cybercriminals are targeting transportation and logistics companies involved in shipping, receiving, and insuring cargo. The agency said these attacks have been ongoing since at least 2024 and are now becoming more sophisticated and widespread. Losses linked to cyber-enabled cargo theft have surged significantly. In 2025, estimated cargo theft losses in the United States and Canada reached nearly $725 million, marking a 60 percent increase from the previous year. Confirmed incidents rose by 18 percent, while the average value per theft increased by 36 percent to $273,990, reflecting a shift toward more targeted, high-value shipments.

How Cyber-Enabled Cargo Theft Works

The FBI outlined a structured, multi-step process used in cyber-enabled cargo theft schemes. Attackers begin by compromising accounts of brokers and carriers through phishing techniques such as spoofed emails, fake websites, and malicious links. Victims are often sent emails posing as legitimate business communications, such as carrier agreements or service complaints. These emails include links that lead to phishing websites designed to mimic trusted platforms. Once accessed, these sites deploy malware or remote monitoring tools, allowing attackers to gain full control over systems without detection. After gaining access, cybercriminals exploit online freight marketplaces known as load boards. They impersonate legitimate brokers or carriers and post fake shipment listings, sometimes in large volumes. Unsuspecting carriers bid on these listings and are further compromised through fraudulent agreements or malicious downloads. In the next stage, attackers use the compromised accounts to accept real shipment contracts. They then engage in illegal double-brokering, rerouting freight to unintended locations. Shipment documents are manipulated, including bills of lading, and delivery destinations are altered without the knowledge of the original parties. The final stage of cyber-enabled cargo theft involves physically diverting the cargo. Goods are transferred through cross-docking or transloading to other drivers, often complicit, and then stolen for resale. In some cases, attackers demand ransom payments in exchange for information about the shipment’s location. [caption id="attachment_111803" align="aligncenter" width="972"] Image Source: https://www.ic3.gov/[/caption]

Indicators of Cyber-Enabled Cargo Theft

The FBI has identified several warning signs that may indicate a cyber-enabled cargo theft attempt. These include unexpected communications regarding shipments made in a company’s name, spoofed email domains, and requests to download documents from suspicious links. Other indicators include emails referencing negative service reviews with embedded links, unauthorized changes to email account settings, and slight variations in domain names designed to mimic legitimate organisations. Attackers may also use temporary or internet-based phone numbers to communicate with victims. These tactics are designed to create a sense of urgency or legitimacy, increasing the likelihood that employees will engage with malicious content.

Steps to Prevent Theft

To reduce the risk of cyber-enabled cargo theft, the FBI is urging organisations to adopt stronger verification and security practices. Companies are advised to independently confirm shipment requests using multiple communication channels before releasing goods. The agency recommends implementing multi-layer verification processes and not relying solely on familiar names or email addresses. Businesses should also maintain detailed records of all transactions, including driver identification, vehicle details, and communication logs, to support investigations if needed. Recognising phishing attempts and avoiding interaction with suspicious links remain critical preventive measures.

Reporting Theft Incidents

The FBI has encouraged victims of cyber-enabled cargo theft to report incidents promptly. In addition to contacting local law enforcement, affected organisations should file complaints with the Internet Crime Complaint Center (IC3) or reach out to their nearest FBI field office. The agency said timely reporting can help identify patterns, disrupt criminal networks, and prevent further losses across the logistics sector.

The global digital rights conference RightsCon 2026 has been cancelled just days before its scheduled start in Lusaka, after Zambia’s government intervened, citing concerns over the event’s themes and participation. The decision has left thousands of attendees stranded or forced to change plans, marking a major disruption for one of the world’s largest gatherings focused on digital rights. The conference, hosted by Access Now, was set to begin on May 5 and expected to bring together more than 2,600 in-person participants and 1,100 online attendees from over 150 countries. However, organisers confirmed that RightsCon 2026 will not proceed either in Zambia or virtually.

Sudden Cancellation of RightsCon 2026

The first indication of trouble emerged when Zambia’s Minister of Technology and Science raised concerns about incomplete security clearances and the nature of the conference’s discussions. Soon after, state-owned media announced that the government had “postponed” the event. Organisers say the move came without formal consultation. In a detailed statement, Access Now described the situation as unprecedented and deeply disruptive. “To our community, We are devastated to be writing to you instead of gathering together as planned and we know we’re not alone. The frustration and disappointment stemming from the loss of RightsCon 2026 is felt deeply by all of us, especially our partners in the region who worked tirelessly alongside our team.” The organisation added that the scale of the event made postponement impractical, noting that planning had been underway for more than a year with over 500 sessions scheduled.

Allegations of Foreign Interference

A key issue highlighted by organisers was alleged external pressure linked to participation from Taiwanese civil society groups. According to Access Now, concerns were raised after communication from Zambian officials regarding diplomatic pressure. “We believe foreign interference is the reason RightsCon 2026 won’t proceed in Zambia or online.” The organisers said they were informally told that for the conference to go ahead, certain topics would need to be moderated and some communities excluded, including Taiwanese participants. This, they said, crossed a fundamental line. “This was our red line. Not because we were unwilling to engage, but because the conditions set before us were unacceptable and counter to what RightsCon is and what Access Now stands for.”

Breakdown in Communication

Access Now detailed a breakdown in communication with Zambian authorities in the final days leading up to the event. Despite prior agreements, including a signed memorandum of understanding and coordination on visa processes, organisers said they received no clear explanation before the cancellation was publicly announced. At 9:33 pm local time on April 28, the postponement was reported in the media before organisers received official confirmation. A formal letter followed later, stating that the decision was “necessitated by the need for comprehensive disclosure of critical information relating to key thematic issues proposed for discussion.” Organisers said the explanation lacked clarity and did not specify actionable concerns.

Impact on Global Digital Rights Community

The cancellation of RightsCon 2026 has had immediate consequences for the global digital rights community. Thousands of participants were already travelling to Lusaka when the announcement was made. “It is with heavy hearts that we share: RightsCon will not proceed in Zambia or online.” “We do not recommend registered participants travel to Lusaka for RightsCon.” The event has long been considered a key platform for discussions on internet governance, privacy, cybersecurity, and freedom of expression. Its cancellation raises broader concerns about shrinking civic space and restrictions on global dialogue. Access Now described the situation as part of a wider challenge facing civil society. “We see this unilateral decision, and the way it was taken, as evidence of the far reach of transnational repression targeting civil society, and effectively shrinking the spaces in which we operate.”

What Comes Next After RightsCon 2026 Cancellation

Despite the setback, organisers reaffirmed their commitment to the event’s mission and the broader digital rights movement. “RightsCon may not happen in Zambia, but we will come together again; how and where we do so will be informed by you, our community.” Access Now also acknowledged the support received from partners, governments, and participants in the aftermath of the cancellation. The abrupt halt of RightsCon 2026 highlights the challenges facing international forums that address sensitive issues such as digital freedoms.

Organisations worldwide are being urged to prepare for a vulnerability patch wave, as security experts warn that advances in artificial intelligence (AI) could rapidly expose long-standing weaknesses across software systems. The warning comes from National Cyber Security Centre (NCSC), which says businesses must act now to strengthen their environments before a surge of critical updates arrives. In a blog, Chief Technology Officer Ollie Whitehouse highlighted that years of accumulated technical debt are now becoming a major cybersecurity risk. Technical debt refers to unresolved flaws and compromises in software that arise when organisations prioritise speed or short-term delivery over long-term resilience. According to Whitehouse, artificial intelligence is accelerating the problem. Skilled attackers are increasingly able to use AI tools to identify and exploit vulnerabilities at scale, forcing what the NCSC describes as a “correction” across the technology ecosystem. This is expected to trigger a vulnerability patch wave, with a high volume of security updates affecting open source, commercial, proprietary, and software-as-a-service platforms.

Prioritising External Attack Surfaces

As part of preparing for the vulnerability patch wave, the NCSC advises organisations to first focus on their external attack surfaces. Internet-facing systems, cloud services, and exposed infrastructure present the highest risk when new vulnerabilities are disclosed. The guidance recommends a perimeter-first approach. Organisations should secure outward-facing technologies before moving deeper into internal systems. This reduces the likelihood that attackers can exploit newly discovered weaknesses during the vulnerability patch wave. Where resources are limited, priority should be given to patching systems that are directly exposed to the internet. Critical security infrastructure should follow next. However, the NCSC cautions that patching alone will not solve every issue. Legacy and end-of-life systems remain a major concern. Many of these technologies no longer receive security updates, leaving organisations vulnerable even during a vulnerability patch wave. In such cases, businesses may need to replace outdated systems or bring them back into supported environments, especially if they are externally accessible.

Preparing for Faster and Large-scale Patching

The expected vulnerability patch wave will require organisations to rethink how they manage updates. The NCSC is urging businesses to prepare for faster, more frequent, and large-scale deployment of security patches, including across supply chains. Several key measures have been recommended:

• Enable automatic updates wherever possible to reduce operational burden
• Adopt secure “hot patching” to apply fixes without service disruption
• Ensure internal processes support rapid and large-scale updates
• Use risk-based prioritisation models such as Stakeholder Specific Vulnerability Categorisation (SSVC)

Whitehouse noted that organisations must be ready to accelerate patching timelines when critical vulnerabilities are actively exploited, particularly those affecting internet-facing systems. At the core of this approach is an “update by default” policy. This means applying software updates as quickly as possible, ideally through automated processes. While this may not always be feasible for safety-critical or operational technology systems, the NCSC says it should form the foundation of modern vulnerability management strategies.

Beyond Vulnerability Patch Wave: Addressing Systemic Risks

The NCSC emphasises that the vulnerability patch wave is only part of a broader cybersecurity challenge. Patching addresses immediate risks, but it does not eliminate the underlying causes of technical debt. Technology vendors are being encouraged to build more secure systems from the outset. This includes adopting memory safety and containment technologies such as CHERI, which can reduce the likelihood of exploitable vulnerabilities. For organisations operating critical services, strengthening cybersecurity fundamentals is equally important. Frameworks such as Cyber Essentials and sector-specific resilience models can help reduce the impact of breaches and improve overall security posture. Additional guidance has also been issued for high-risk environments, covering areas such as privileged access workstations, cross-domain security architecture, and threat detection through observability and proactive hunting.

Organisations Urged to Act Now

The NCSC has made it clear that preparation cannot be delayed. The anticipated vulnerability patch wave is expected to impact organisations of all sizes and sectors. Businesses are advised to review their vulnerability management processes, assess their exposure, and ensure their supply chains are also ready to respond. Larger organisations, in particular, are encouraged to seek assurance from both commercial and open-source partners. As Whitehouse concluded, readiness for the vulnerability patch wave will depend on proactive planning, strong fundamentals, and the ability to respond quickly at scale.