@GossiTheDog I’ve noticed today that many media outlets are mentioning this VulnCheck research where they say NGINX CVE-2026-42945 is being actively exploited because they detected honeypot activity. Thoughts on this Kevin? Here’s an example article…. https://www.helpnetsecurity.com/2026/05/18/ngnix-vulnerability-exploited-cve-2026-42945/

🚨 NGINX bug (CVE-2026-42945) now under active exploitation.

Critical heap overflow in rewrite module. Attackers can crash workers with one request (possible RCE).

Patch now if using NGINX ≤1.30.0. Check rewrite/if/set rules.

Full details: https://thehackernews.com/2026/05/nginx-cve-2026-42945-exploited-in-wild.html

🚨 CRITICAL: Active exploitation of NGINX heap buffer overflow (CVE-2026-42945) in ngx_http_rewrite_module. Remote DoS on default, RCE possible if ASLR is off. Patch now! Official fix by F5. https://radar.offseq.com/threat/exploitation-of-critical-nginx-vulnerability-begin-ecd29fd7 #OffSeq #NGINX #Vuln #Patch

📰 Critical 18-Year-Old 'NGINX Rift' Vulnerability (CVE-2026-42945) Under Active Attack

🚨 CRITICAL NGINX FLAW! An 18-year-old bug 'NGINX Rift' (CVE-2026-42945) is actively exploited for DoS & RCE. Affects millions of web servers. Patch immediately! #NGINX #CVE #Infosec #PatchNow

🌐 cyber[.]netsecops[.]io

🔗 https://cyber.netsecops.io/articles/nginx-rift-critical-vulnerability-cve-2026-42945-active-exploitation/?utm_source=mastodon&utm_medium=social&utm_campaign=daily

Scan for possible exposure indicators related to NGINX Rift, CVE-2026-42945, with the SecPoint Penetrator.

This is a serious NGINX rewrite module vulnerability that may lead to worker crashes and, under specific conditions, potential code execution.

Our detection helps organizations identify systems that show remote indicators associated with this vulnerability, enabling faster prioritization and remediation.

#SecPoint #NGINX #CyberSecurity #VulnerabilityScanning #Penetrator

Geopolitical: US-China held cyber discussions, Iran seized a vessel near the Strait of Hormuz, and Ukraine experienced drone attacks on Moscow. Tech: Microsoft Edge enhanced password security; Colorado and Georgia enacted new AI legislation. Cybersecurity: Instructure paid hackers' ransom after a breach, and a critical NGINX vulnerability (CVE-2026-42945) is under active exploitation.

#AnonNews_irc #Cybersecurity #News

https://winbuzzer.com/2026/05/18/new-windows-miniplasma-zero-day-exploit-gives-syst-xcxwbn/

MiniPlasma is a newly released proof-of-concept exploit that reportedly turns a standard Windows user into SYSTEM on fully patched Windows 11 systems, reviving doubts about a flaw Microsoft marked fixed in 2020.

#Cybersecurity #MiniPlasma #Microsoft #Windows11 #CVE202017103 #ChaoticEclipse #MicrosoftWindows #Windows11

📬 MiniPlasma zeigt: Selbst gepatchtes Windows ist angreifbar
#ITSicherheit #ChaoticEclipse #CVE202017103 #Microsoft #MiniPlasma #Patchmanagement #PrivilegeEscalation #Sicherheitslücke #SYSTEMRechte #Windows11 #WindowsZeroDay https://sc.tarnkappe.info/9841ba

The Register quoted Wiz putting it plainly: “The Linux networking stack is starting to look less like infrastructure and more like a root exploit vending machine.”

https://byteiota.com/fragnesia-cve-2026-46300-dirty-frag-patch-linux-root-exploit/

#copyfail #dirtyfrag #fragnesia #linux

Hm #Debian hat immer noch keinen #fragnesia fix.
https://security-tracker.debian.org/tracker/CVE-2026-46300

Fragnesia (CVE-2026-46300) i DirtyDecrypt (CVE-2026-31635) ( https://nfsec.pl/security/6722 ) #linux #kernel #security

https://www.youtube.com/watch?v=dWAPcXh8UEE

Security updates: Debian vs Ubuntu, AlmaLinux vs Rocky Linux

https://blog.frehi.be/2026/05/18/security-updates-debian-vs-ubuntu-almalinux-vs-rocky-linux/

Linux Kernel 7.0.8 is released with patches to fix the ssh-keysign-pwn (CVE-2026-46333) root exploit flaw. Update your Linux system today.

More details here: https://ostechnix.com/linux-kernel-7-0-8-ssh-keysign-pwn-root-exploit-fix/

#Linux #Kernel708 #ssh_keysign_pwn #CVE_2026_46333 #Rootexploit #Security #Kernelpatch

CVE-2026-46333 - War wohl 6 jahre lang bekannt ohne das gehandelt wurde - https://www.gotekky.com/guides/security/cve-2026-46333-ssh-keysign-pwn-linux-kernel/

AI Discovers CVE-2026-46333 Linux Kernel Vulnerability #devopsish https://linuxstans.com/ai-just-found-another-linux-zero-day-and-security-researchers-are-freaking-out/

Security updates: Debian vs Ubuntu, AlmaLinux vs Rocky Linux

https://blog.frehi.be/2026/05/18/security-updates-debian-vs-ubuntu-almalinux-vs-rocky-linux/

CVE-2026-42897: vulnerabilità critica XSS in Exchange Server OWA — mitigazione di emergenza disponibile
#tech
https://spcnet.it/cve-2026-42897-vulnerabilita-critica-xss-in-exchange-server-owa-mitigazione-di-emergenza-disponibile/
@informatica

Here's a professional summary of recent developments:

Fast16 malware, predating Stuxnet, is confirmed as a nuclear weapons simulation sabotage tool (May 18). A Microsoft Exchange vulnerability (CVE-2026-42897) is actively exploited. US-Iran tensions heighten after Trump's warnings of military action (May 18). Malta becomes the first country to offer ChatGPT Plus nationwide as a public service (May 17).

#Cybersecurity #Geopolitics #TechNews

RE: https://infosec.exchange/@perfect10_bot/116596917951373116

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42822

What privileges could be gained by an attacker who successfully exploited the vulnerability?
An attacker could gain elevated privileges beyond those normally available to them, allowing actions such as accessing restricted information or performing operations that are typically limited to more highly privileged users or administrators.

:blob_neutral_face:

fr, wtaf is this advisory?

CVE-2026-42822 (CRITICAL, CVSS 10): Azure Local Disconnected Operations has an improper authentication flaw — unauthenticated attackers can gain elevated privileges remotely. Apply official patch ASAP: https://radar.offseq.com/threat/cve-2026-42822-cwe-287-improper-authentication-in--a8d083ed #OffSeq #Azure #Vulnerability #Security

🚨 In this week’s newsletter, we cover CVE-2024-9643, a Four-Faith router authentication bypass now moving into mass exploitation.
We break down how attackers are turning exposed industrial routers into botnet infrastructure and what defenders should do next.

Read the full analysis and protect your systems 👉 https://www.crowdsec.net/vulntracking-report/cve-2024-9643-four-faith-router-authentication-bypass

UAT-8616: il gruppo d’élite sfrutta il sesto zero-day Cisco SD-WAN e prende di mira governi europei e asiatici

https://insicurezzadigitale.com/uat-8616-il-gruppo-delite-sfrutta-il-sesto-zero-day-cisco-sd-wan-e-prende-di-mira-governi-europei-e-asiatici/

IT threat evolution in Q1 2026. Non-mobile statistics

IT threat evolution in Q1 2026. Non-mobile statistics
IT threat evolution in Q1 2026. Mobile statistics

The statistics in this report are based on detection verdicts returned by Kaspersky products unless otherwise stated. The information was provided by Kaspersky users who consented to sharing statistical data.

Quarterly figures

In Q1 2026:

• Kaspersky products blocked more than 343 million attacks that originated with various online resources.
• Web Anti-Virus responded to 50 million unique links.
• File Anti-Virus blocked nearly 15 million malicious and potentially unwanted objects.
• 2938 new ransomware variants were detected.
• More than 77,000 users experienced ransomware attacks.
• 14% of all ransomware victims whose data was published on threat actors’ data leak sites (DLS) were victims of Clop.
• More than 260,000 users were targeted by miners.

Ransomware

Quarterly trends and highlights

Law enforcement success

In January 2026, it was reported that the FBI had seized the domains of the RAMP cybercrime forum, a major platform used extensively by ransomware developers to advertise their RaaS programs and to recruit affiliates. There has been no official statement from the FBI, nor is it clear if RAMP servers were seized. In a post on an external website, a RAMP moderator mentioned law enforcement agencies gaining control over the forum. The takedown disrupted a key element of the RaaS ecosystem, creating ripple effects for ransomware operators, affiliates, and initial access brokers.

A man suspected of links to the Phobos group was apprehended in Poland. He was charged with the creation, acquisition, and distribution of software designed for unlawfully obtaining information, including data that facilitates unauthorized access to information stored within a computer system.

In March, a Phobos ransomware administrator pleaded guilty to the creation and distribution of the Trojan, which had been used in international attacks dating back to at least November 2020.

In March, the U.S. Department of Justice charged a man who had acted as a negotiator for ransomware groups. The company he worked for specializes in cyberincident investigations. The prosecution alleges the suspect colluded with the BlackCat threat actor to share privileged insights into the ongoing progress of negotiations. Additionally, the suspect is alleged to have had a prior direct role in BlackCat attacks, serving as an affiliate for the RaaS operation.

In a separate development this March, a U.S. court sentenced an initial access broker associated with the Yanluowang ransomware group to 81 months of imprisonment. According to the U.S. Department of Justice, the convict facilitated dozens of ransomware attacks across the United States, resulting in over $9 million in actual loss and more than $24 million in intended loss.

Vulnerabilities and attacks

The Interlock group has been heavily exploiting the CVE-2026-20131 zero-day vulnerability in Cisco Secure FMC firewall management software since at least January 26, 2026. The vulnerability enabled arbitrary Java code execution with root privileges on the affected device. This campaign demonstrates the ongoing reliance on zero-day vulnerabilities for initial access, a focus on network appliances as high-value entry points, and the rapid weaponization of new vulnerabilities within the ransomware ecosystem.

The most prolific groups

This section highlights the most prolific ransomware gangs by number of victims added to each group’s DLS. This quarter, the Clop ransomware (14.42%) returned to the top of the rankings, displacing Qilin (12.34%), which had held the leading position in the previous reporting period. Following closely is a new threat actor, The Gentlemen (9.25%). Emerging no later than July 2025, the group had already surpassed the activity levels of mainstays such as Akira (7.25%) and INC Ransom (6.13%).

Number of each group’s victims according to its DLS as a percentage of all groups’ victims published on all the DLSs under review during the reporting period (download)

Number of new variants

In Q1 2026, Kaspersky solutions detected six new ransomware families and 2938 new modifications. Volumes have returned to Q3 2025 levels following a surge in Q4 2025.

Number of new ransomware modifications, Q1 2025 — Q1 2026 (download)

Number of users attacked by ransomware Trojans

Throughout Q1, our solutions protected 77,319 unique users from ransomware. Ransomware activity was highest in March, with 35,056 unique users encountering such attacks during the month.

Number of unique users attacked by ransomware Trojans, Q1 2026 (download)

Attack geography

TOP 10 countries and territories attacked by ransomware Trojans

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country/territory.

TOP 10 most common families of ransomware Trojans

* Unique Kaspersky users attacked by the specific ransomware Trojan family as a percentage of all unique users attacked by this type of threat.

Miners

Number of new variants

In Q1 2026, Kaspersky solutions detected 3485 new modifications of miners.

Number of new miner modifications, Q1 2026 (download)

Number of users attacked by miners

In Q1, we detected attacks using miner programs on the computers of 260,588 unique Kaspersky users worldwide.

Number of unique users attacked by miners, Q1 2026 (download)

Attack geography

TOP 10 countries and territories attacked by miners

* Excluded are countries and territories with relatively few (under 50,000) Kaspersky users.
** Unique users whose computers were attacked by miners as a percentage of all unique users of Kaspersky products in the country/territory.

Attacks on macOS

In Q1 2026, Google uncovered a new cryptocurrency theft campaign. The scammers directed victims to a fraudulent video call, prompting them to execute malicious scripts under the guise of technical support fixes for connection problems.

In March, researchers with GTIG and iVerify reported the discovery of an in-the-wild exploit chain targeting both iOS and macOS devices. The exploit kit was apparently marketed on the dark web, providing threat actors with a suite of spyware capabilities alongside specialized cryptocurrency exfiltration modules. The exploit was delivered via drive-by downloads when victims visited various compromised websites. Our analysis confirmed that the toolkit included an updated version of a component previously identified in the Operation Triangulation attack chain.

Devices running macOS were similarly impacted by the high-profile supply chain attack targeting the Axios npm package, a widely used HTTP client for JavaScript. The installation of the infected package led to the deployment of a backdoor on macOS devices.

TOP 20 threats to macOS

Unique users* who encountered this malware as a percentage of all attacked users of Kaspersky security solutions for macOS (download)

* Data for the previous quarter may differ slightly from previously published data due to some verdicts being retrospectively revised.

The share of PasivRobber spyware attacks is beginning to decline, giving way to more traditional adware and Monitor-class software capable of tracking user activity. The popular Amos stealer also maintains its presence within the TOP 20.

Geography of threats to macOS

TOP 10 countries and territories by share of attacked users

* Unique users who encountered threats to macOS as a percentage of all unique Kaspersky users in the country/territory.

IoT threat statistics

This section presents statistics on attacks targeting Kaspersky IoT honeypots. The geographic data on attack sources is based on the IP addresses of attacking devices.

In Q1 2026, the share of devices attacking Kaspersky honeypots via the SSH protocol saw a significant increase compared to the previous reporting period.

Distribution of attacked services by number of unique IP addresses of attacking devices (download)

The distribution of attacks between Telnet and SSH maintained the ratio observed in Q4 2025.

Distribution of attackers’ sessions in Kaspersky honeypots (download)

TOP 10 threats delivered to IoT devices

Share of each threat delivered to an infected device as a result of a successful attack, out of the total number of threats delivered (download)

The primary shifts in the IoT threat distribution are linked to the activity of various Mirai botnet variants, although members of this family continue to account for the majority of the list. Furthermore, a new variant, Mirai.kl, surfaced in the rankings. We also observed a significant decline in NyaDrop botnet activity during Q1.

Attacks on IoT honeypots

The United States, the Netherlands, and Germany accounted for the highest proportions of SSH-based attacks during this period.

China continues to account for the largest proportion of Telnet attacks, though there was a marked increase in activity originating from Pakistan.

Attacks via web resources

The statistics in this section are based on detection verdicts by Web Anti-Virus, which protects users when suspicious objects are downloaded from malicious or infected web pages. These malicious pages are purposefully created by cybercriminals. Websites that host user-generated content, such as message boards, as well as compromised legitimate sites, can become infected.

TOP 10 countries and territories that served as sources of web-based attacks

The following statistics show the distribution by country/territory of the sources of internet attacks blocked by Kaspersky products on user computers (web pages redirecting to exploits, sites containing exploits and other malicious programs, botnet C&C centers, and so on). One or more web-based attacks could originate from each unique host.

To determine the geographic source of web attacks, we matched the domain name with the real IP address where the domain is hosted, then identified the geographic location of that IP address (GeoIP).

In Q1 2026, Kaspersky solutions blocked 343,823,407 attacks launched from internet resources worldwide. Web Anti-Virus was triggered by 49,983,611 unique URLs.

Web-based attacks by country/territory, Q1 2026 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of malware infection via the internet for users’ computers in different countries and territories, we calculated the share of Kaspersky users in each location on whose computers Web Anti-Virus was triggered during the reporting period. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

This ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users targeted by web-based Malware attacks as a percentage of all unique users of Kaspersky products in the country/territory.

On average during the quarter, 4.73% of users’ computers worldwide were subjected to at least one Malware web attack.

Local threats

Statistics on local infections of user computers are an important indicator. They include objects that penetrated the target computer by infecting files or removable media, or initially made their way onto the computer in non-open form. Examples of the latter are programs in complex installers and encrypted files.

Data in this section is based on analyzing statistics produced by anti-virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. The statistics are based on detection verdicts from the On-Access Scan (OAS) and On-Demand Scan (ODS) modules of File Anti-Virus and include detections of malicious programs located on user computers or removable media connected to the computers, such as flash drives, camera memory cards, phones, or external hard drives.

In Q1 2026, our File Anti-Virus detected 15,831,319 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country and territory, we calculated the percentage of Kaspersky users whose computers had the File Anti-Virus triggered at least once during the reporting period. This statistic reflects the level of personal computer infection in different countries and territories around the world.

Note that this ranked list includes only attacks by malicious objects classified as Malware. Our calculations leave out File Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

* Excluded are countries and territories with relatively few (under 10,000) Kaspersky users.
** Unique users on whose computers local Malware threats were blocked, as a percentage of all unique users of Kaspersky products in the country/territory.

On average worldwide, Malware local threats were detected at least once on 11.55% of users’ computers during Q1.

Russia scored 11.92% in these rankings.

securelist.com/malware-report-…

Security updates: Debian vs Ubuntu, AlmaLinux vs Rocky Linux

https://blog.frehi.be/2026/05/18/security-updates-debian-vs-ubuntu-almalinux-vs-rocky-linux/