VENOMOUS#HELPER phishing campaign active since April 2025 has impacted 80+ organizations, mainly in the U.S., using SSA-themed lures.
Category: cybercrime/malcode – Page 3
CISA Adds Actively Exploited Linux Root Access Bug CVE-2026–31431 to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The vulnerability, tracked as CVE-2026–31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The nine-year-old flaw is also tracked as Copy Fail by Theori and Xint. Fixes have been made available in Linux kernel versions 6.18.22, 6.19.12, and 7.0.
“Linux Kernel contains an incorrect resource transfer between spheres vulnerability that could allow for privilege escalation,” CISA said in an advisory.
Amazon SES increasingly abused in phishing to evade detection
The Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective.
Although the resource has been leveraged for malicious activity in the past, the current spike may be due to a large number of AWS Identity and Access Management access keys exposed in public assets.
Because it is a legitimate, trusted resource, phishing operations can leverage Amazon SES to send out malicious emails that pass authentication checks.
30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign
A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a “phishing relay” to distribute phishing emails with an aim to compromise Facebook accounts.
The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are estimated to have been hacked as part of the campaign.
“What we found wasn’t a single phishing kit,” security researcher Shaked Chen wrote in a report shared with The Hacker News. “It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back.”
Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks
Cybersecurity researchers are warning of two cybercrime groups that are carrying out “rapid, high-impact attacks” operating almost within the confines of SaaS environments, while leaving minimal traces of their actions.
The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and extortion campaigns that share a remarkable degree of operational similarities. Both hacking groups are assessed to be active since at least October 2025, with the latter a native English-speaking crew sharing ties to the e-crime ecosystem known as The Com.
“In most cases, these adversaries use voice phishing (vishing) to direct targeted users to malicious, SSO-themed adversary-in-the-middle (AiTM) pages, where they capture authentication data and pivot directly into SSO-integrated SaaS applications,” CrowdStrike’s Counter Adversary Operations said in a report.
Edu tech firm Instructure discloses cyber incident, probes impact
Instructure, the company behind the widely used Canvas learning platform, has disclosed that it recently suffered a cybersecurity incident and is now investigating its impact.
The U.S.-based education technology company is best known for developing Canvas, a widely used learning management system that helps schools, universities, and organizations manage coursework, assignments, and online learning.
“Instructure recently experienced a cybersecurity incident perpetrated by a criminal threat actor. We are actively investigating this incident with the help of outside forensics experts,” reads a statement from Steve Proud, Chief Security Officer.
CISA orders feds to patch Windows flaw exploited as zero-day
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their Windows systems against a vulnerability exploited in zero-day attacks.
Tracked as CVE-2026–32202, this security flaw was reported by cybersecurity firm Akamai, which described it as a zero-click NTLM hash leak vulnerability left behind after Microsoft incompletely patched a remote code execution flaw (CVE-2026–21510) in February.
As CERT-UA revealed, the Russian APT28 (aka UAC-0001 and Fancy Bear) cyberespionage group exploited CVE-2026–21510 in attacks against Ukraine and EU countries in December 2025 as part of an exploit chain that also targeted a LNK file flaw (CVE-2026–21513).
GitHub fixes RCE flaw that gave access to millions of private repos
In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026–3854) that could have allowed attackers to access millions of private repositories.
The flaw was reported on March 4, 2026, by researchers at cybersecurity firm Wiz through GitHub’s bug bounty program. GitHub Chief Information Security Officer Alexis Wales said the company’s security team reproduced and confirmed the vulnerability within 40 minutes and deployed a fix to GitHub.com less than two hours after receiving the report.
CVE-2026–3854 affects GitHub.com, GitHub Enterprise Cloud, GitHub Enterprise Cloud with Data Residency, GitHub Enterprise Cloud with Enterprise Managed Users, and GitHub Enterprise Server.
Popular WordPress redirect plugin hid dormant backdoor for years
The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users’ sites.
The malware was uncovered by Austin Ginder, the founder of WordPress hosting provider Anchor, who found it after 12 infected sites on his fleet triggered a security alert.
Quick Page/Post Redirect plugin, available on WordPress.org for several years, is a basic utility plugin used for creating redirects in posts, pages, and custom URLs.