Threatnoir’s Post

This week in cybersecurity, the common thread wasn't a single flaw or a single threat actor — it was time. → cPanel's authentication bypass had been actively exploited for two months before a patch landed. By the end of last week, attackers had spawned "Sorry" ransomware, Mirai botnets, and a Southeast Asia espionage campaign in parallel on the same flaw. → A nine-year-old Linux kernel bug ("Copy Fail") grants any local user root in 732 bytes — and breaks container isolation on essentially every major distribution. → Microsoft's February patch for an APT28-exploited Windows Shell flaw left the credential-leak path wide open. Fancy Bear walked back in for ten more weeks. → Trellix disclosed a source code repository breach with dwell time and attribution still undisclosed. → And Vect 2.0 ransomware affiliates have been destroying victim data they thought they were holding hostage — even paying victims can't recover files larger than 128 KB. The takeaway for security leaders: better patching alone doesn't close any of these windows. Egress controls, kernel isolation, immutable backups, and a real inventory of every AI tool with access to a developer environment are what stand between a single compromise and a bad week. Full breakdown: https://openv.pn/4tWjd7E #Cybersecurity #InfoSec #CISO #ZeroTrust #VulnerabilityManagement

Threat Thursday is back, and it's better than ever! Here's what I can't stop thinking about from this week: There used to be a gap between vulnerability disclosure and active exploitation. Now it's a coin flip... ▶️ MOVEit Automation: Critical pre-auth bypass. No exploitation (yet). Patch released. ▶️ Palo Alto PAN-OS: Zero-day already being exploited. Patch doesn't ship until May 13. ▶️ cPanel/WHM: Patched on April 28. But attackers have been exploiting since February. Three vulnerabilities. Three completely different positions on the timeline. Three different defender postures required. The "we'll patch it next maintenance window" model assumes you have a window. Increasingly, you don't. Full breakdown of all six stories — link in the comments 👇 Has your SLA for critical vulnerabilities shifted in the last six months? #cybersecurity #threatintel #vulnerabilitymanagement

#500DaysCyberSec [Restarted] ☑️ Day 43 of #Challenge :- SSH Hardenings That an Stop Almost All Attacks At Your Server Part 1 📌 Most attackers don’t “hack” SSH instantly. They abuse weak configurations that admins forget to secure. 📌 In this deep dive, explored how simple SSH hardening techniques can drastically reduce brute-force attacks, credential stuffing, password guessing, and automated bot scanning. 📌 The real danger? Default SSH settings running on internet-facing servers. 📌 Covered critical defenses like: → Disabling root login → Replacing passwords with SSH keys → Changing the default SSH port → Restricting unauthorized access 📌 And the scariest part… Most attackers are not manually targeting servers. Bots scan the internet 24/7 searching for systems with weak SSH configurations. 📌 One small hardening mistake can expose the entire server. Happy Hacking 😃

Yesterday Microsoft confirmed active exploitation of CVE-2026-32202 — and the part security teams keep glossing over is that this is the second patch for the same Windows Shell primitive. February's fix closed one trigger. The May variant still leaks NTLMv2 hashes zero-click. Federal deadline: May 12. The hard question for any CISO this week: how do you know your fleet is actually patched — not just patched-on-paper? This is what CloudShieldSecure does differently for a vulnerability like 32202: → It doesn't trust the KB number. It validates the residual primitive on the host — the LNK→UNC→SMB→NTLMv2 path — and reports whether the exploit condition is still live, regardless of what the version string says. → It correlates against the February patch fingerprint AND the April-14 patch fingerprint as one finding. "Patched in February" + "missed April" surfaces as a single 'incomplete patch' alert, not two separate version findings. → It pairs the host-side primitive check with NTLM-relay detection at the identity layer. If the residual primitive is exploited, the resulting hash relay shows up as a correlated event — not an isolated SMB anomaly disconnected from the original cause. That's the capability difference: version strings on a CSPM dashboard tell you what the vendor says you're patched against. Host-level primitive validation tells you what an attacker can actually still do. We covered the broader 'patched ≠ safe' problem yesterday — same week, two CISA KEV deadlines (May 12 Windows / May 15 Linux), same architectural failure. Today is the show-don't-tell. If your patch-compliance dashboard is reporting 100% on CVE-2026-32202, that's a starting question, not an answer. → https://lnkd.in/eKVc7tWE #CloudShieldSecure #CyberSecurity #PatchManagement #ZeroDay #NTLM #WindowsSecurity #CISA

Seeing a spike in Defender alerts for Trojan:Win32/Cerdigent.A!dha today. Based on public reporting and what’s being discussed across the community: * Alerts started appearing shortly after a recent Defender intelligence update * Detections seem to be hitting DigiCert root certificates (Assured ID Root CA / Trusted Root G4) * These are long-trusted root CAs present on most Windows systems From what’s being shared, it looks like Defender may be misidentifying these certificates due to a signature/hash match tied to the Cerdigent detection. Result: * Certificates being quarantined * High-severity alerts across multiple environments * A lot of noise in a short period of time At this point, it’s widely being reported as a false positive, but I haven’t seen anything official from Microsoft yet. There are also claims that a fix is rolling out, though that remains unconfirmed. Worth watching. Technical Details for Admins: Trigger Version: Security Intelligence Update 1.449.424.0. Mechanism: The detection flags registry keys in AuthRoot\Certificates. The Fix: Early reports suggest that checking for updates and moving to version 1.449.430.0 (or later) resolves the false positive and stops the alerts. #CyberSecurity #MicrosoftDefender #InfoSec #FalsePositive

Your Apache server is a ticking time bomb. The Problem: A critical "double free" vulnerability CVE-2026-23918 in Apache HTTP Server 2.4.66 enables Remote Code Execution via HTTP/2 early resets. The Agitation: Attackers don't need credentials. They just send a malicious early reset command. - Memory corruption occurs instantly. - Your server crashes DoS or worse—hackers execute arbitrary code. - Sensitive data theft, ransomware deployment, or full system takeover becomes possible. The attack surface is massive. Apache powers millions of websites globally. The Solution: Patch immediately. No exceptions. - Update to version 2.4.67. - Disable HTTP/2 as a temporary workaround. - Audit logs for unusual HTTP/2 traffic or crashes. - Implement defense-in-depth with WAFs and network segmentation. How is your team securing your infrastructure against this type of exploitation? Let’s discuss in the comments below. #CyberSecurity #VulnerabilityManagement #RCE

Microsoft disclosed CVE-2026-42897 last week. It's a high-severity Exchange Server vulnerability that's already being exploited in the wild. There is no patch. The attack works through Outlook Web Access. An attacker sends a crafted email, the recipient opens it in OWA, and the attacker gets code execution in their browser session. From there it's credential theft, silent mail forwarding rules, lateral movement. The only current mitigation is a service called EEMS that runs on Exchange servers. It only works if it's enabled and your server is on a build from March 2023 or later. If you're on Exchange 2016 or 2019 without extended support, you won't get a permanent fix at all. Same week, at Pwn2Own Berlin, a researcher chained three bugs for full SYSTEM-level RCE on Exchange. That's two independent attack paths in one week. CISA has now listed 19 Exchange vulnerabilities on their Known Exploited catalog. Fourteen were used in ransomware. If you're still running on-prem Exchange, the question isn't whether to migrate. It's how quickly you can get it done. https://lnkd.in/gudFpuvU #Cybersecurity #Exchange #ZeroDay #EmailSecurity #CloudMigration

Microsoft confirms active exploitation of a vulnerability. Not a warning.  Not a theoretical risk. Already happening. This is where most organisations fall behind. Because their model assumes: • time to assess   • time to respond   • time to decide  But exploitation doesn’t wait. So the real question isn’t: “Are we vulnerable?” It’s: “Would we even know — before it’s too late?” Because by the time something is “confirmed,” the exposure has already existed. This is the real gap in cyber risk. Not tools. Not visibility. Timing - and control under uncertainty. That’s what determines whether an incident is contained or escalates. #CyberRisk #ZeroDay #OperationalRisk #CyberSecurity #DigitalRisk Source: https://lnkd.in/eRBKX8wR

I’ve been digging into the recent Bitwarden CLI supply chain incident, and it’s a good example of where attacks are actually heading. On April 22, a malicious version of the Bitwarden CLI was published to npm after a compromise in its CI/CD pipeline through GitHub Actions. For a short window, anyone installing the tool pulled a backdoored package designed to exfiltrate developer credentials such as GitHub tokens, SSH keys, and cloud secrets. The important detail is that Bitwarden itself was not breached at the vault level. The attack targeted the build and distribution layer. This pattern is starting to repeat. In a separate incident, CPUID (CPU-Z / HWMonitor) had its official distribution channel compromised, serving malware through legitimate downloads. Different method, same idea. Compromise trust at the delivery point. I personally use both Bitwarden and CPU-Z, which is exactly why incidents like this stand out. They are not just theoretical. They make me stop and reassess what I trust on my own system. I have always advised users I support to only download software from official sources. Cases like this show that even that is not always enough. It raises a bigger point. We need to be more deliberate about what we install, what we allow to run, and how much implicit trust we give to software, even the reputable ones. From a security perspective, this also reinforces how important it is for organizations to strengthen monitoring and controls around software supply chains. In a constantly evolving threat landscape, defensive practices need to evolve just as quickly. Key takeaways: - CI/CD pipelines are high-value targets - Distribution channels are increasingly exploited - Credential theft is a primary objective - Official sources are not a guaranteed safety net - Security depends on the entire delivery chain, not just the product Sources: Bitwarden CLI incident (The Hacker News): https://lnkd.in/e_GhzugK CPUID / CPU-Z breach (The Hacker News): https://lnkd.in/eZb-FZ6Q #CyberSecurity #InfoSec #SupplyChainSecurity #DevSecOps #ThreatIntelligence #CI_CD

Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild. The vulnerability in question is CVE-2026-32202 (CVSS score: 4.3), a spoofing vulnerability that could allow an attacker to access sensitive information. It was addressed as part of its Patch Tuesday update for this