sig9.ch

sig9.ch Kontaktinformationen, Karte und Wegbeschreibungen, Kontaktformulare, Öffnungszeiten, Dienstleistungen, Bewertungen, Fotos, Videos und Ankündigungen von sig9.ch, IT-Unternehmen, Zürich.

sig9 is an IT and cybersecurity consulting firm specialized in secure software engineering, pe*******on testing, code audits, blockchain systems, and the design of security-critical processes.

Hacker Wars - June 02, 2026Your daily dose of infosec chaos---Happy Tuesday. If you thought AI support bots were just fo...
02/06/2026

Hacker Wars - June 02, 2026

Your daily dose of infosec chaos

---

Happy Tuesday. If you thought AI support bots were just for answering FAQ questions, think again - this week kicks off with attackers weaponizing Meta's own AI to hijack high-profile Instagram accounts. Add a supply chain attack on Red Hat's npm packages and some creative C2 hiding in Steam profiles, and you've got yourself a proper Tuesday morning wake-up call.

---

Meta's AI Support Bot Hijacks Instagram Accounts

Attackers figured out how to social-engineer Meta's AI support assistant into resetting account credentials, briefly hijacking the Instagram accounts for the Obama White House and the U.S. Space Force's Chief Master Sergeant. Pro-Iranian messages and images were posted before the accounts were recovered. The technique spread via Telegram tutorials, proving that AI customer support is now an attack surface.

**What to do:** Enable hardware-based MFA on all social media accounts. If your org manages high-profile accounts, review Meta's account recovery policies and consider dedicated account protection programs.

---

Red Hat npm Packages Hit by Supply Chain Attack

Over 30 npm packages under Red Hat's -cloud-services namespace were compromised, distributing a new credential-stealing malware variant called "Miasma." This is a supply chain attack targeting developers who trust official-looking package namespaces. If your CI/CD pipeline pulls from Red Hat's npm scope, you might have had a bad weekend.

**What to do:** Audit your dependencies for -cloud-services packages and check for indicators of compromise. Pin package versions and use lockfiles. Consider running npm audit in your pipelines.

---

Dashlane Users Locked Out After Brute Force Campaign

Multiple Dashlane users found themselves locked out of their password manager accounts after attackers launched brute-force login attempts from various locations and unknown devices. The irony of a password manager getting hit with credential stuffing attacks is not lost on anyone.

**What to do:** Enable 2FA on your password manager (yes, even password managers need a second factor). Use a strong, unique master password that isn't reused anywhere else.

---

WordPress Malware Hides C2 in Steam Profiles

Nearly 2,000 WordPress sites were infected with malware that uses Steam Community profile comments as a covert command-and-control channel. By hiding C2 instructions in plain sight on gaming profiles, the malware blends into normal web traffic and avoids traditional detection. Clever and annoying.

**What to do:** Keep WordPress core, themes, and plugins updated. Monitor outbound connections from your WordPress hosts. If you see unexpected Steam API calls, investigate immediately.

---

ClickFix and FakeUpdate Campaigns Hit Thousands of Sites

A threat actor dubbed DriveSurge is running large-scale malware distribution through compromised websites, using ClickFix fake error pages and FakeUpdate browser update prompts to trick users into downloading payloads. Thousands of sites are participating in this campaign, most of them unknowingly.

**What to do:** Educate users about fake browser update prompts and "fix this error" social engineering. Deploy web content filtering and keep endpoint protection updated.

---

Catch you tomorrow. In the meantime, go check your attack surface.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - June 01, 2026Your daily dose of infosec chaos---It's a triple threat Monday: VPN authentication bypasses, ...
01/06/2026

Hacker Wars - June 01, 2026

Your daily dose of infosec chaos

---

It's a triple threat Monday: VPN authentication bypasses, Linux kernel privilege escalation, and WordPress plugin takeovers. If your patching backlog was already giving you anxiety, this isn't going to help. Grab a coffee and check your attack surface.

---

Palo Alto GlobalProtect VPN Auth Bypass Under Active Exploitation

Palo Alto Networks confirmed that CVE-2026-0257, an authentication bypass in PAN-OS GlobalProtect, is now being actively exploited to breach corporate networks. Attackers are leveraging the flaw to bypass VPN authentication entirely, essentially walking through the front door without a key. If your org relies on Palo Alto for remote access, this is a five-alarm fire.

**What to do:** Patch PAN-OS immediately. If you can't patch yet, restrict GlobalProtect portal access to trusted IPs and enable MFA as a temporary band-aid.

---

CIFSwitch Linux Kernel Flaw Grants Root on Multiple Distros

A new local privilege escalation vulnerability dubbed CIFSwitch lets attackers forge CIFS authentication key descriptions and abuse the Linux kernel's key request mechanism to gain root. The flaw affects multiple distributions and is particularly nasty because it leverages a fundamental kernel subsystem. Local attackers can go from unprivileged user to full root with a single exploit.

**What to do:** Monitor for kernel patches from your distro vendor. Restrict CIFS module loading if possible and audit who has local access to your Linux boxes.

---

WP Maps Pro Plugin Bug Lets Attackers Create Admin Accounts

Hackers are actively exploiting a vulnerability in the WP Maps Pro WordPress plugin to create rogue administrator accounts on affected sites - no authentication required. The unauthenticated admin creation flaw means any attacker can waltz in and take full control of vulnerable WordPress installations. If you're running WP Maps Pro, assume compromise until proven otherwise.

**What to do:** Update WP Maps Pro to the latest version immediately. Check your WordPress user list for suspicious admin accounts and audit your site for backdoors.

---

That's all for now. Patch your stuff and don't click suspicious links.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 26, 2026Your daily dose of infosec chaos---Retail breaches, Iranian APTs still hunting after military ...
26/05/2026

Hacker Wars - May 26, 2026

Your daily dose of infosec chaos

---

Retail breaches, Iranian APTs still hunting after military strikes, and LMS zero-days getting exploited in the wild. Another Monday in infosec where "patch everything" is starting to sound less like advice and more like a survival strategy.

---

7-Eleven Breach Hits 185,000 Customers

ShinyHunters leaked data from 7-Eleven, exposing names, email addresses, physical addresses, and dates of birth of roughly 185,000 people. The breach came through a third-party partner repository, which is corporate-speak for "our vendor got popped and we inherited the mess." If you have a 7-Eleven account, assume your PII is out there.

**What to do:** Change passwords on any 7-Eleven linked accounts and watch for targeted phishing using your leaked personal details.

---

Iranian APT Nimbus Manticore Hits Aviation and Software

The Iranian threat group Nimbus Manticore has been quietly targeting aviation and software companies with refreshed tooling, and notably kept operating through and after the US military campaign against Iran. These folks don't take days off, apparently. The updated toolkit suggests they're investing in staying ahead of detection.

**What to do:** If you're in aviation or defense-adjacent software, review your network segmentation and check IOCs from recent Nimbus Manticore reports.

---

Microsoft Defender Gets Auto-Isolation for Compromised Endpoints

Microsoft is rolling out a feature in Defender for Endpoint that automatically isolates compromised machines from the network. The idea is to cut off lateral movement before attackers can pivot, essentially giving your SOC a robot that slams the network door shut without waiting for a human to approve the JIRA ticket.

**What to do:** Evaluate this capability in your Defender for Endpoint deployment and plan your isolation policies before enabling it in production.

---

KnowledgeDeliver Zero-Day Leads to Godzilla Web Shells

Attackers exploited a zero-day in KnowledgeDeliver LMS to deploy Godzilla web shells and Cobalt Strike beacons on vulnerable servers. LMS platforms are often overlooked in patch cycles because nobody thinks the training portal is interesting to attackers. Spoiler: they're wrong.

**What to do:** Audit your KnowledgeDeliver deployments immediately, check for unexpected web shells, and restrict internet-facing LMS instances.

---

Dutch Police Seize 800 Servers From Bulletproof Hosting Providers

Netherlands law enforcement arrested two administrators and seized 800 servers from a bulletproof hosting operation that had been providing infrastructure to Russian cybercriminal groups. The service was essentially an Airbnb for malware operators. This won't stop the threat actors, but it does mean they need to find new real estate.

**What to do:** Check if any of your threat intel feeds have updated blocklists with the seized infrastructure and update your defenses accordingly.

---

That's the chaos for today. Stay sharp out there.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 22, 2026Your daily dose of infosec chaos---Zero-days, SQLi, and APTs, oh my. Today's roundup is a buff...
22/05/2026

Hacker Wars - May 22, 2026

Your daily dose of infosec chaos

---

Zero-days, SQLi, and APTs, oh my. Today's roundup is a buffet of "patch it yesterday" moments, plus a nice law enforcement win to remind you that botmasters do eventually get caught. Grab your coffee and let's dive in.

---

Trend Micro Apex One Zero-Day Under Active Exploitation

Trend Micro confirmed that attackers are actively exploiting a zero-day vulnerability in their Apex One endpoint protection product on Windows. The flaw allows code ex*****on on affected systems, which is exactly what you don't want from your security software. Patches are out now, so stop reading and go apply them.

**What to do:** Update Apex One immediately. If you can't patch yet, check Trend Micro's advisory for interim mitigations and monitor for IOCs.

---

Drupal Sites Under Fire From Critical SQL Injection

Drupal dropped a "highly critical" SQL injection advisory earlier this week, and attackers are already scanning for vulnerable installations. SQLi in a CMS is classic but devastating, it can lead to full database dumps, admin account takeover, and lateral movement. If you're running Drupal and haven't patched, your site is probably already being probed.

**What to do:** Apply the Drupal security update now. Review your database logs for suspicious queries and audit any exposed admin accounts.

---

Ubiquiti Ships Emergency Patches For Three Max-Severity UniFi Flaws

Ubiquiti patched three vulnerabilities in UniFi OS that all carry the maximum CVSS score of 10.0. The best part? They're remotely exploitable with zero authentication. If you're running UniFi gear in your network, these are the kind of bugs that keep pe*******on testers up at night, and attackers up even later.

**What to do:** Update UniFi OS to the latest version immediately. If you can't patch, restrict management access to trusted networks only.

---

KimWolf Botmaster Busted In Joint U.S.-Canada Operation

Authorities in the U.S. and Canada arrested a 23-year-old Ottawa man accused of running the KimWolf IoT botnet, which enslaved nearly two million devices for DDoS attacks. The botnet allegedly powered some massive attacks over the past six months. Another reminder that operating a botnet is a career with excellent job security, if your definition of "job security" includes federal charges.

**What to do:** Review your network for IoT devices with default credentials. Segment IoT gear away from critical infrastructure.

---

China-Linked APT Targets EU Governments Via Discord and Microsoft Graph

A Chinese threat group dubbed Webworm has been hacking European government entities by abusing legitimate services like Discord and Microsoft Graph for command and control. They're also using SoftEther VPN and other tunneling tools to blend malicious traffic with normal network activity. Living off the land meets living off the cloud, and it's working.

**What to do:** Monitor for unusual traffic to cloud services like Discord API and Microsoft Graph from non-user endpoints. Review your egress filtering policies.

---

That's the chaos for today. Stay sharp out there.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 21, 2026Your daily dose of infosec chaos---Supply chain attacks are back on the menu, zero-days are ge...
21/05/2026

Hacker Wars - May 21, 2026

Your daily dose of infosec chaos

---

Supply chain attacks are back on the menu, zero-days are getting patched faster than you can say "CVE" and someone found a nine-year-old kernel bug hiding in plain sight. Just another Thursday in infosec.

---

GitHub Got Breached Through a VS Code Extension

Hackers compromised GitHub's internal repositories by poisoning the Nx Console VS Code extension, which an employee had installed. The malicious extension gave attackers access to 3,800 internal repos, because apparently we're still trusting random extensions with our crown jewels.

**What to do:** Audit your VS Code extensions list and remove anything you don't actively use. Implement extension allowlisting for corporate environments.

---

Microsoft Patches Defender Zero-Days Being Exploited in the Wild

Microsoft rushed out patches for two Defender vulnerabilities that attackers were already exploiting in real-world attacks. The zero-days allow attackers to bypass security protections, which is ironic considering Defender is supposed to be the thing protecting you.

**What to do:** Update Windows Defender immediately and check that your endpoint protection definitions are current.

---

Nine-Year-Old Linux Kernel Bug Finally Discovered

Researchers found CVE-2026-46333, a privilege escalation vulnerability in the Linux kernel that's been sitting there for nine years with a CVSS score of 5.5. It allows unprivileged local users to access sensitive information, because why fix bugs when you can just... not find them?

**What to do:** Check your Linux kernel version and apply patches from your distro. Consider running kernel hardening tools like grsecurity.

---

SonicWall VPN MFA Bypassed Through Incomplete Patching

Attackers brute-forced VPN credentials and bypassed MFA on SonicWall Gen6 SSL-VPN appliances to deploy ransomware tools. Turns out the patches SonicWall released earlier didn't fully address the vulnerabilities, which is a fancy way of saying "we tried."

**What to do:** If you're running SonicWall Gen6 SSL-VPN, apply the latest patches and consider switching to certificate-based authentication instead of passwords.

---

That's the chaos for today. Stay sharp out there.

---

Brought to you by sig9 - http://
sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 20, 2026Your daily dose of infosec chaos---GitHub got popped, BitLocker got bypassed, and Grafana's so...
20/05/2026

Hacker Wars - May 20, 2026

Your daily dose of infosec chaos

---

GitHub got popped, BitLocker got bypassed, and Grafana's source code walked out the door. Supply chain attacks are the gift that keeps on giving - if by "gift" you mean "incident response nightmares." Three stories, three different ways your trust model just got wrecked.

---

GitHub Breached - TeamPCP Steals 3,800 Internal Repos Via Malicious VS Code Extension

The TeamPCP hacking group confirmed what many feared: they accessed roughly 3,800 GitHub internal repositories after an employee installed a poisoned VS Code extension. The compromised employee device gave the attackers a foothold into GitHub's internal codebase, including private source code and internal tooling. GitHub says there's no evidence of customer data impact, but the exposure of internal repos is a significant intellectual property and security concern.

**What to do:** Audit your VS Code extensions inventory and implement allowlisting for developer tooling. If you're using GitHub, review your organization's access controls and monitor for anomalous API activity.

---

Microsoft Drops Mitigation for YellowKey BitLocker Zero-Day (CVE-2026-45585)

Microsoft released a mitigation for YellowKey, a BitLocker security feature bypass vulnerability that carries a CVSS score of 6.8. The zero-day, now tracked as CVE-2026-45585, was publicly disclosed last week and allows attackers to circumvent full-disk encryption protections. Microsoft is aware of active exploitation but a full patch isn't available yet - just a workaround.

**What to do:** Apply the Microsoft mitigation immediately if you rely on BitLocker for endpoint encryption. Consider layering additional encryption controls and monitor for physical access indicators on high-value endpoints.

---

Grafana Breach Deepens - TanStack npm Attack Vector Exposed

Grafana Labs confirmed that its recent GitHub breach, initially disclosed on May 19, involved a compromised npm package in the TanStack supply chain. The attackers leveraged the poisoned dependency to gain access to Grafana's GitHub environment, exfiltrating both public and private source code. Grafana says customer production systems and data were not affected, but the source code exposure could fuel future vulnerability research.

**What to do:** If you use Grafana products, pin your dependencies and monitor for security advisories. Review your software supply chain security posture and consider using tools like Sigstore or SLSA to verify package integrity.

---

Catch you tomorrow. In the meantime, go check your attack surface.

---

_Brought to you by sig9_ - sig9.ch | _Protecting the unseen, securing the unknown_

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 19, 2026Your daily dose of infosec chaos---Tuesday's serving of security nightmares is here, and it's ...
19/05/2026

Hacker Wars - May 19, 2026

Your daily dose of infosec chaos

---

Tuesday's serving of security nightmares is here, and it's a mixed bag of supply chain attacks, government-grade credential leaks, and robots that apparently don't know how to say no to arbitrary commands. Grab your coffee and let's dive in.

---

CISA Contractor Leaks AWS GovCloud Keys on GitHub

A contractor for CISA - yes, the US government's cybersecurity agency - accidentally pushed AWS GovCloud credentials to a public GitHub repo. The exposed keys granted access to highly privileged accounts and a swath of internal CISA systems. You really can't make this stuff up.

**What to do:** Rotate any AWS keys that may have been exposed, audit your GitHub repos for accidental credential commits, and enable secret scanning on all repositories.

---

GitHub Actions Supply Chain Attack Steals CI/CD Credentials

Threat actors compromised the popular actions-cool/issues-helper GitHub Action, rewriting all existing tags to point to a malicious commit. The poisoned workflow harvested CI/CD secrets and exfiltrated them to an attacker-controlled server. If your pipelines use this action, assume your secrets are gone.

**What to do:** Audit your GitHub Actions workflows for dependencies on actions-cool/issues-helper, rotate all CI/CD secrets, and pin your actions to specific commit SHAs instead of tags.

---

Critical Flaw Exposes Industrial Robot Fleets to Remote Hacking

CVE-2026-8153 is a critical OS command injection vulnerability in Universal Robots PolyScope 5, the software powering fleets of industrial robots worldwide. An attacker could exploit this to execute arbitrary commands on robot controllers - which is exactly as terrifying as it sounds when heavy machinery is involved.

**What to do:** Apply vendor patches immediately, segment industrial robot networks from corporate and internet-facing systems, and monitor for unusual command ex*****on on robot controllers.

---

SHub macOS Infostealer Now Spoofs Apple Security Updates

A new variant of the SHub infostealer targets macOS users by displaying a convincing fake Apple security update dialog via AppleScript. Once the user clicks through, it installs a backdoor and starts siphoning credentials. Social engineering meets malware, macOS edition.

**What to do:** Only install macOS updates through System Settings, never from pop-up dialogs. Deploy endpoint detection on macOS devices and educate users about this attack vector.

---

INTERPOL Operation Ramz Takes Down 200 Cybercriminals

In a refreshing change of pace, INTERPOL's Operation Ramz resulted in the seizure of 53 malware and phishing servers and over 200 arrests across the Middle East and North Africa. The operation targeted cybercriminals running phishing campaigns and distributing malware. Sometimes the good guys do win.

**What to do:** No action needed - just enjoy this one. Consider it a palate cleanser between the doom and gloom.

---

Catch you tomorrow. In the meantime, go check your attack surface.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 18, 2026Your daily dose of infosec chaos---If today's headlines are any indication, supply chain secur...
18/05/2026

Hacker Wars - May 18, 2026

Your daily dose of infosec chaos

---

If today's headlines are any indication, supply chain security is still the gift that keeps on giving. Grafana joins the growing list of companies whose source code walked out the door thanks to a stolen token, while 7-Eleven confirmed that ShinyHunters made off with over half a million customer records from their Salesforce instance. Throw in a fresh chain of OpenClaw exploits and a batch of critical patches across Ivanti, Fortinet, SAP, VMware, and n8n, and you've got yourself a proper Monday.

---

Grafana Source Code Swiped via Stolen GitHub Token

Grafana Labs confirmed that attackers used a compromised GitHub access token to download the company's entire source code repository. While Grafana says there's no evidence the token was used to inject malicious code, the sheer fact that a single leaked credential gave full read access to the codebase is a textbook example of why token hygiene matters more than ever.

**What to do:** Audit your CI/CD pipelines and GitHub token scopes. If you're not pinning tokens to specific repos and actions with minimal privileges, today is the day to fix that.

---

7-Eleven Confirms Data Breach After ShinyHunters Ransom Demand

The convenience store giant confirmed a breach after ShinyHunters claimed to have exfiltrated over 600,000 Salesforce records containing personal information and corporate data. The group is now demanding a ransom, which 7-Eleven has reportedly declined to pay - setting up a potential data dump scenario.

**What to do:** If you rely on Salesforce or similar CRM platforms, enforce strict access controls and enable enhanced logging. Breaches through third-party SaaS are becoming the new normal.

---

Claw Chain: Four OpenClaw Bugs Chained for Full Sandbox Escape

Researchers demonstrated that four distinct vulnerabilities in OpenClaw can be chained together to steal credentials, break out of the sandbox environment, and install persistent backdoors on the host system. The exploit chain, dubbed Claw Chain, targets the application's privilege model and IPC mechanisms in a way that makes each individual bug look relatively harmless on its own.

**What to do:** Update OpenClaw immediately if you're running it. Sandboxes are a defense-in-depth measure, not a security boundary - plan accordingly.

---

Critical Patches: Ivanti Xtraction (CVSS 9.6) Leads a Busy Patch Tuesday

Ivanti, Fortinet, SAP, VMware, and n8n all shipped security updates this week, led by a critical unauthenticated RCE flaw in Ivanti Xtraction (CVE-2026-8043, CVSS 9.6) that allows remote attackers to execute arbitrary code. Fortinet, SAP, and VMware also patched privilege escalation and authentication bypass bugs worth your attention.

**What to do:** Prioritize the Ivanti Xtraction patch if you're running it. Then work through the rest - these vendors' products are prime targets for initial access brokers.

---

Until next time, may your logs be clean and your alerts be false positives.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 15, 2026Your daily dose of infosec chaos---Another day, another CVSS 10.0 zero-day actively eaten in t...
15/05/2026

Hacker Wars - May 15, 2026

Your daily dose of infosec chaos

---

Another day, another CVSS 10.0 zero-day actively eaten in the wild - this time Cisco's SD-WAN gets the honors. Microsoft Exchange also decided to join the party with an XSS zero-day, because apparently Patch Tuesday wasn't enough excitement this week. Oh, and a student shut down bullet trains with a radio. You know, just a normal Thursday.

---

Cisco SD-WAN Zero-Day Grants Full Admin Access (CVE-2026-20182)

Cisco confirmed that a maximum-severity authentication bypass in the Catalyst SD-WAN Controller is being exploited in the wild, handing attackers administrative control over affected devices. This is the second CVSS 10.0 flaw in Cisco's SD-WAN stack exploited this year - which is a pattern, not a coincidence.

**What to do:** Patch your SD-WAN controllers immediately. If you can't patch today, restrict management interface access to trusted networks only.

---

Microsoft Exchange XSS Zero-Day Targets Outlook Web Users

Microsoft published mitigations for a high-severity cross-site scripting flaw in Exchange Server that's already being weaponized against Outlook on the web users. Attackers can execute arbitrary code in the victim's browser context - classic stored XSS, but in your mail server.

**What to do:** Apply Microsoft's recommended mitigations and monitor Exchange logs for unusual OWAscript.aspx requests.

---

Pwn2Own Berlin Day One: 24 Zero-Days, Half a Million in Payouts

Security researchers walked away with $523,000 on day one of Pwn2Own Berlin after demonstrating 24 unique zero-days against Windows 11, Microsoft Edge, and other targets. The highlights included full system compromises that would make any red team proud.

**What to do:** Nothing actionable yet, but expect a flood of patches from Microsoft and friends in the coming weeks. Stay tuned.

---

Student With Software-Defined Radio Shuts Down Taiwan Bullet Trains

A Taiwanese student experimenting with software-defined radio technology managed to halt three high-speed trains for nearly an hour, triggering an anti-terrorism response. The incident exposed glaring gaps in rail system cybersecurity - specifically, the lack of signal authentication in critical transit infrastructure.

**What to do:** If you operate ICS or OT environments, assume radio-frequency attacks are within reach of motivated amateurs. Review your physical-layer security.

---

WordPress Burst Statistics Plugin Has Actively Exploited Auth Bypass

A critical authentication bypass vulnerability in the Burst Statistics WordPress plugin is being exploited to gain admin-level access to websites. If you run WordPress and this plugin sounds familiar, this is your wake-up call.

**What to do:** Update Burst Statistics immediately. If you're not using it, audit your WordPress plugins for anything you don't recognize.

---

That's all for now. Patch your stuff and don't click suspicious links.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 14, 2026Your daily dose of infosec chaos---Kernel vulns, mail server disasters, and ransomware gangs g...
14/05/2026

Hacker Wars - May 14, 2026

Your daily dose of infosec chaos

---

Kernel vulns, mail server disasters, and ransomware gangs getting doxxed by their own sloppy OPSEC. Just another Wednesday in infosec.

---

New Fragnesia Linux Flaw Gives Attackers Root Access

A fresh kernel vulnerability dubbed "Fragnesia" (CVE-2026-46300) lets local attackers escalate to root on affected Linux systems. Distros are already pushing patches, but if you're running unpatched kernels in production, congratulations - you're a sitting duck.

**What to do:** Patch your Linux kernels immediately. Check your distro's security advisories and prioritize internet-facing hosts.

---

Critical Exim RCE Flaw Threatens Mail Servers Worldwide

The Exim mail transfer agent has a critical remote code ex*****on bug that doesn't even require authentication to exploit. If you're running Exim in certain configurations, an attacker can execute arbitrary code on your mail server without credentials. That's about as bad as it gets.

**What to do:** Update Exim to the latest patched version. If you can't patch right now, consider restricting access to your SMTP ports and reviewing your Exim configuration for affected options.

---

West Pharmaceutical Confirms Ransomware Attack With Data Theft

West Pharmaceutical Services disclosed a cyberattack where hackers both stole data and encrypted systems - the classic double extortion playbook. The healthcare/pharma sector continues to be a favorite target, because nothing says "pay up" like threatening to leak sensitive data.

**What to do:** Review your organization's incident response plan and ensure backups are air-gapped and tested. If you're in healthcare, assume you're a target.

---

MuddyWater Expands Espionage Campaign Across Asia

Iran's MuddyWater group has been busy - at least nine organizations across multiple countries and sectors got hit in a broad cyber-espionage campaign. A major South Korean electronics manufacturer was among the targets. State-sponsored groups don't take days off.

**What to do:** Review network segmentation and monitor for known MuddyWater TTPs, including suspicious use of legitimate remote management tools.

---

The Gentlemen RaaS Gang Gets a Taste of Their Own Medicine

In a delightful turn of events, an OPSEC failure exposed the internal workings of "The Gentlemen" ransomware-as-a-service operation. The leak reveals their affiliate model, tactics, and organizational structure. Turns out even cybercriminals struggle with operational security sometimes.

**What to do:** Use the leaked IOCs and TTPs to update your threat detection rules. If you're tracking ransomware groups, this is a goldmine of intel.

---

Catch you tomorrow. In the meantime, go check your attack surface.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Adresse

Zürich

Webseite

Benachrichtigungen

Lassen Sie sich von uns eine E-Mail senden und seien Sie der erste der Neuigkeiten und Aktionen von sig9.ch erfährt. Ihre E-Mail-Adresse wird nicht für andere Zwecke verwendet und Sie können sich jederzeit abmelden.

Service Kontaktieren

Nachricht an sig9.ch senden:

Verknüpfungen

Teilen

Kategorie