County Government Reportedly Paid $1 Million to Cyber Extortion Group

A government entity in the US reportedly paid a $1 million ransom to the Kairos cyber extortion group to prevent the public dissemination of information stolen in a May 2025 intrusion, Ransom-ISAC reports.

A leaked negotiation transcript shows that the extortion group demanded $3 million in cryptocurrency from the victim organization, but eventually settled for $1 million.

Kairos claimed to have stolen over 2 terabytes of data, or approximately 1.6 million files, after accessing the victim’s environment in a brute-force attack.

During the three-week negotiation, the victim increased its offer from $100,000 to $430,000, but eventually accepted a hard deadline and the $1 million ransom, which was paid in Bitcoin on June 13.

The attackers pressured the victim with public exposure, while maintaining control of deadlines and proof-of-access artifacts.

“The affected entity’s responses are consistent with an organization buying time while legal, leadership, financial, and communications decisions were coordinated,” Ransom-ISAC notes.

Advertisement. Scroll to continue reading.

The anti-ransomware organization notes that the incident was an extortion attack and did not involve file-encrypting ransomware. The attackers’ proof-of-deletion appears selective, not comprehensive, but the listings they provided are consistent with a real file-server scrape.

According to Ransom-ISAC, the provided proof of deletion could have been generated by erasing a copy of the data, and no mechanism to independently verify the deletion was provided.

Ransom-ISAC did not name the affected organization, but the negotiation transcript identifies it as “a small county with very limited resources.”

The affected government body reportedly appears to be Union County, Ohio. In September, the county notified (PDF) 45,487 individuals that their personal information was stolen in a ransomware attack in May 2025.

The affected information included names, dates of birth, driver’s license/state ID numbers, passport numbers, Social Security numbers, financial account details, fingerprint information, medical information, and payment card details.

SecurityWeek has emailed Union County for a statement on the matter and will update this article if the county responds.

Related: Aflac Japan Data Breach Impacts 4.38 Million

Related: Nissan Employee Data Breached in Oracle PeopleSoft Hack

Related: Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack

Related: More Klue Breach Victims Identified as Hackers Get Hacked

https://www.securityweek.com/county-government-reportedly-paid-1-million-to-cyber-extortion-group/




Critical Gitea Flaw Under Active Exploitation, Researchers Warn

Threat actors are exploiting a vulnerability in Gitea’s reverse-proxy authentication mechanism to access internet-accessible instances by supplying only a valid username.

Specific to Gitea’s official Docker images, the critical-severity security defect is tracked as CVE-2026-20896 (CVSS score of 9.8) and can be exploited with a single HTTP header, Sysdig Sr. Director of Threat Research Michael Clark says.

The issue exists because, in Gitea Docker images before 1.26.3, the default settings allow connections from any source IP address instead of enforcing an allowlist, security researcher Ali Mustafa, who was credited for finding the bug, explains.

If placed behind a proxy, Gitea should trust only a header set by the proxy when reverse-proxy authentication is enabled. Because of the flaw, anyone who could provide a valid username in a header could connect to a vulnerable instance, bypassing authentication.

“Any process that can reach the Gitea container’s HTTP port directly — not through the intended authenticating proxy — can impersonate any user whose login name is known or guessable. Admin accounts are the obvious targets,” the researcher notes.

The patch that was introduced in Gitea versions 1.26.3 / 1.26.4 makes reverse-proxy authentication an opt-in feature.

Advertisement. Scroll to continue reading.

According to Clark, CVE-2026-20896’s exploitation started 13 days after public disclosure. The attempt was associated with a “VPN-exit scanner that grabbed access”.

“No password. No token. One header. Sysdig sensors caught the first in-the-wild hit 13 days after the advisory,” Clark notes.

While Sysdig’s research revealed approximately 6,200 Gitea instances accessible from the internet, it is unclear how many of them are vulnerable.

Users are advised to update their Gitea deployments as soon as possible, as the successful exploitation of the vulnerability could lead to the complete compromise of all the code and secrets Gitea holds.

“A Gitea user can read and write their repositories, private ones included: the code they ship, the secrets developers committed by accident (API keys, DB credentials, deploy tokens), their CI/CD config, and deploy keys,” Clark notes.

Related: Critical Adobe ColdFusion Vulnerability Exploited in Attacks

Related: CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability

Related: Apple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari

Related: Gitea Vulnerability Exposed 30,000 Deployments to Attacks

https://www.securityweek.com/critical-gitea-flaw-under-active-exploitation-researchers-warn/




CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for Flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) is using Anthropic’s powerful Mythos AI model to scan and audit federal government software for security vulnerabilities, according to a report from Reuters.

Citing three sources familiar with the matter, Reuters reported that CISA is utilizing Mythos to scan code repositories across federal agencies. The operation aims to proactively discover and patch security bugs that could otherwise be exploited by foreign intelligence agencies and cybercriminals.

The audits are reportedly being spearheaded by CISA’s Attack Surface Evaluation team, a specialized unit tasked with conducting digital defense assessments and simulated hacking exercises across the federal landscape. Two sources stated that the AI-driven initiative has already uncovered a “large number” of software vulnerabilities. However, specific details regarding the severity of the flaws, the impacted agencies, or the volume of software reviewed have not been disclosed.

Neither Anthropic nor CISA provided formal on-the-record comments to Reuters regarding the operation.

Tensions between Anthropic and federal officials spiked dramatically earlier this year after the company refused administration demands to remove built-in safeguards restricting its models from being used for autonomous weaponry or domestic surveillance. In response, the Pentagon designated Anthropic as a supply-chain risk, a classification typically reserved for foreign firms suspected of espionage.

The National Security Agency (NSA) is also believed to be using Mythos in its operations.

Advertisement. Scroll to continue reading.

Late last month, a US official told the Associated Press (AP) that one of Anthropic’s artificial intelligence models had identified vulnerabilities in highly sensitive and secure US government computer systems during a testing exercise.

While the private application of Mythos has accelerated within the US intelligence and defense communities, Anthropic’s public-facing rollouts have triggered separate regulatory battles. When the company launched its public version of the model in early June, called Fable, concerns from the White House regarding foreign nationals accessing the tool prompted an abrupt administrative demand to restrict access. The ensuing standoff led to a temporary global shutdown of the Fable model, which was only lifted last week.

Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay

RelatedOpenAI and Anthropic Limit New AI Models to Trump-Approved Customers During Cybersecurity Review

RelatedWhen Information Becomes the Attack Surface – Understanding AI Agent Traps

https://www.securityweek.com/cisa-reportedly-using-anthropics-mythos-to-scan-government-software-for-flaws/




Critical Adobe ColdFusion Vulnerability Exploited in Attacks

Threat actors are exploiting a recently patched vulnerability in Adobe ColdFusion that carries a maximum severity rating.

Tracked as CVE-2026-48282 (CVSS score of 10/10), the security defect is described as a path traversal that could lead to arbitrary code execution.

It was patched on June 30 alongside five other max severity flaws in Adobe’s rapid application development platform that could be exploited for code execution.

Adobe released ColdFusion 2025 update 10 and ColdFusion 2023 update 21 to resolve these flaws, noting that it was not aware of any exploits in the wild targeting them.

However, the tech giant did assign a priority rating of 1 to the security update, urging users to apply the patches as soon as possible, given the high risk that attackers could start targeting the flaws.

However, according to the vulnerability intelligence platform KEVIntel, hackers began exploiting CVE-2026-48282 within two hours of its public disclosure.

Advertisement. Scroll to continue reading.

“KEVIntel captured in-the-wild exploitation within our global honeypot network,” KEVIntel founder Ryan Dewhurst said.

Shortly after, the Canadian Centre for Cyber Security also warned that the CVE has been exploited in attacks, based on open source reporting.

Adobe has yet to update its advisory to mention the vulnerability’s in-the-wild exploitation. SecurityWeek has emailed the company for a statement and will update this article if it responds.

“Adobe moved quickly to release a patch, but we’re seeing how dramatically the decision window has compressed. According to reports, attackers began exploiting the vulnerability within two hours of public disclosure, well before many organizations could realistically validate, prioritize, test, and deploy patches across production environments,” Tuskira co-founder and CEO Piyush Sharma commented.

“The challenge is determining which systems are reachable, which vulnerabilities create attack paths, and what compensating controls can reduce exposure while remediation is underway. As the window between disclosure and exploitation continues to shrink, organizations will increasingly compete on the speed and quality of their security decisions,” Sharma added.

Related: Linux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems

Related: Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

Related: Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution

Related: New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure

https://www.securityweek.com/critical-adobe-coldfusion-vulnerability-exploited-in-attacks/




Iran-Linked Hackers Using Modular C&C Framework in Cyberattacks

An Iran-linked advanced persistent threat (APT) actor has been using a modular command-and-control (C&C) framework in recent attacks targeting organizations in Israel, Check Point reports.

Tracked as Cavern Manticore, the APT focuses on government entities and IT providers, and appears linked to Iran’s MOIS (Ministry of Intelligence and Security), with possible ties to the OilRig subgroup Lyceum (also known as Hexane and SiameseKitten).

Cavern Manticore’s C&C framework includes an adaptable toolset built using .NET, with various compilation formats used across components, used as an anti-analysis layer.

“This is not obfuscation in the traditional sense; there is no packer, no control-flow flattening, and no string encryption anywhere in the framework. Instead, the compilation format itself becomes the anti-analysis layer, since each of the three formats has to be reversed with a different toolchain and a different workflow, and the analyst has to context-switch between them across components,” Check Point notes.

The components are used as agents and modules, separating core communication functionality from post-compromise capabilities and allowing the attackers to tailor deployments per-victim and extend their access to the compromised environments.

The infection chain begins with the abuse of SysAid’s software update feature to sideload a WinDirStat DLL, which leads to the execution of the Cavern agent.

Advertisement. Scroll to continue reading.

After establishing command-and-control (C&C) communication, the agent fetches additional modules based on commands received from the operator.

Dedicated modules support file operations, database enumeration and manipulation, LDAP brute-force, network reconnaissance and SMB brute-force, and SOCKS5 proxy and WebSocket/WSS tunneling. The agent uses both managed and native modules.

The agent isolates each module into its dedicated AppDomain, which is terminated after the module is unloaded, removing them from memory to eliminate analyzable assembly artifacts. Additionally, the agent deletes all files and subdirectories in the working directory, except the communication module, config file, and log files.

According to Check Point, the Cavern framework was likely built using an AI model, but code comments and typos, as well as hand-picked names and various inconsistencies between modules, suggest a human was significantly and substantively involved in the development process.

As part of observed intrusions against Israeli targets, the APT used remote monitoring and management (RMM) solutions for lateral movement between victims. It also used browser-based remote desktop technologies to access victims’ environments and built-in features such as remote printing for data exfiltration.

“Recent campaigns suggest that the threat actor possesses a strong understanding of the complex IT supplier chains within Israel’s cyber ecosystem. In several cases, we observed evidence of the actor moving from an initial compromised IT provider to a second-hop provider before ultimately reaching the intended target organization,” Check Point notes.

Related: Cal Water Says No OT Systems Breached in Iranian Handala Cyberattack

Related: LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers

Related: Iranian APT Targets Aviation, Software Companies With Updated Tools

Related: Iranian APT Intrusion Masquerades as Chaos Ransomware Attack

https://www.securityweek.com/iran-linked-hackers-using-modular-cc-framework-in-cyberattacks/




CISO Conversations: Tarah Wheeler, Cybersecurity Leader, Thought Leader and Original Thinker

Tarah Wheeler is CISO at TPO Group. TPO is an acronym for technology, policy and operations, and the firm provides cybersecurity consultancy for high-stakes organizations such as critical industries and federal agencies. But despite this elevated position, her journey was far from typical.

“I absolutely did not choose this career on purpose,” she said. “No, I fell backwards into it. I feel like this career dragged me into an alley, coshed me over the head, and said, ‘You’re one of us now. kid’.”

For Americans unfamiliar with British slang, the ‘cosh’ phrase would be better understood as ‘hit me over the head with a baseball bat’ – and it may be worth noting that although born in Washington, Wheeler is currently studying at Oxford in the UK.

“At heart, I think of myself as a social scientist and writer. There is no better place than cybersecurity to see how people behave when they think they’re not being observed, and then getting data on it.” It’s like she saw cybersecurity as an arena for interpersonal relations (friend versus foe, collaboration, international relations, leadership, etcetera), and having once entered the arena, she either didn’t or couldn’t leave it.

In that arena, she received a thorough grounding in cybersecurity. “I’ve been red team, I’ve been purple team, I’ve been SecOps, and I’ve been in physical, digital, and social cybersecurity. Now I find myself moving more and more into risk and compliance, because it describes the impact of people’s actions at scale and my ability to change them. I think that’s fun. I like seeing collective behavior, and compliance policy is how you make 50,000 people behave slightly better when it comes to security.”

The influence her love of social science has had on her journey into cybersecurity and her career within it is clear. Her second love, combining social science with writing, cannot be ignored. She mentioned her pride in authoring a Foreign Policy feature in 2018: In Cyberwar, There are No Rules. But there is much more. She wrote the book, Women in Tech: Take Your Career to the Next Level with Practical Advice and Inspiring Stories, and has written numerous policy papers for institutions including the Council on Foreign Relations and Harvard’s Belfer Center.

Advertisement. Scroll to continue reading.

Her increasing knowledge of cybersecurity (including stints with Microsoft, Silent Circle, Symantec and Splunk) gravitated her toward leadership. She became and remains CISO at Red Queen Technologies and is now also CISO (technically CSO) at TPO Group founded last year. Her proudest moment, she said, was when she gave testimony to the US Senate Committee on Homeland Security & Governmental Affairs during a hearing on The Cyber Safety Review Board in 2024.

She feels that the depth and range of hands-on practical experience in so many different security functions is fundamental to reaching her current level. “In security, your knowledge from every single thing you’ve done before builds over time. You don’t lose the perspective and information and skills that you get as a red teamer when you move into compliance. Instead, you start thinking about how people can crack and break and abuse compliance policy, and that makes you really, really good at compliance.”

Tarah Wheeler

In all her time in cybersecurity, she has never lost her earlier focus on social science, finding that the two subjects overlap and benefit each other. “The first case studies I ever did when I was in college were histories of conflict with China, Russia, and North Korea. And now I’m back again, dealing with conflict with China, Russia, and North Korea.”

She never lost her interest in foreign relations but now adds a cybersecurity lens. She was a security fellow at New America, “focused on South Asia and the Middle East, extremist groups such as ISIS, al Qaeda and allied groups, the proliferation of drones, homeland security, and the activities of US Special Forces and the CIA.”

She was a senior fellow for global cyber policy, and is a life member, at the Council on Foreign Relations. She is a member of the board of directors at EFF.

To social science and writing we should add another characteristic – a love of having fun. An example can be seen in the title of one of her policy papers, while at CFR, describing the role of a CISO: ‘Walk and chew gum…”. Another can be seen in her time at EFF. She founded and hosts the annual EFF Benefit Poker Tournament at DEF CON. “It’s a blast,” she said. “It’s been growing every year.” 

What she didn’t mention is that she is a very competent poker player herself, with earnings from professional tournaments quoted on the Hendon Mob Poker Database. 

She talked more about her time with EFF. “I remember Eva Galperin once saying the EFF is the closest thing that hackers have to a religion. And I don’t think she was wrong. This is the oldest digital rights organization in the world. It is a joy and a privilege.”

What is a hacker?

This raises an interesting question. It’s very difficult to find a universally agreed definition of ‘hacker’; so, what does Wheeler mean by the epithet?

“A hacker is a person with a certain set of skills. The list of skills from A Hacker Manifesto [by McKenzie Wark] is a good way to think about it.”

But, she added, “If I was to define a hacker, I might go back to Razor and Blade in the 1995 movie Hackers. Hacking is not a crime. It’s a set of survival traits, the ability to see the world orthogonally, to see how it is fragile, to see how you could take advantage of fragile physical, human and digital systems, and to make a choice in that moment between taking advantage of them or making them safer so other people cannot be harmed by them,” she said.

“People who use these skills for good are hackers. People who use the same skills for harm, are just criminals.” That’s another feature of Wheeler’s character – a tendency to slice through the noise to find the kernel.

If those skills define a hacker, what skills are necessary to be the leader she has become? 

Being a leader

“I think I’ve seen one single attitude that allows people to move from individual contributor to manager to leader: it’s the ability to subsume your own ego. To help other people do the job you used to do, but to help them do it better than you ever did – while taking no credit for it. Anybody can be a leader if they’re okay with their victories being other people’s successes.”

Wheeler clearly has many interests beyond the simple definition of cybersecurity. Do such outside interests help make a better cybersecurity leader?

“I don’t see how they cannot,” she said, “whether that’s by keeping your mind refreshed through tackling intellectual puzzles or doing something completely different. It can bring new perspectives and improve your ability to draw analogies to explain technical issues for people who aren’t in security but need to understand it.”

She stressed this point. “I think the more cross-disciplinary interests you have, the better senior practitioner of cybersecurity you become. Our job often requires explaining, using analogies, what’s going on in security to non-technical business leaders. The best way to do that is not to explain what it is, but what it is like. We must be able to explain security to business leaders in a way that helps them make good, risk-based decisions without having the quarter century of technical knowledge we have in our own head. There’s no way that outside interests don’t help you do that.”

She gave a personal example. Apart from the outside interests we have already noted, “I’m also a student pilot,” she said. It offers two advantages. “I guarantee that when you fly a plane for the first time, the last thing on your mind will be your day job.” So, it’s refreshing – and the security analogy is simple: “Do it right or die.” Incidentally, the same principle applies to another of her hobbies: motorcycling.

Burnout

It is worth wondering if having such a wide range of additional interests has any preventive effect on cybersecurity’s modern-day scourge: burnout. Probably, but only indirectly. “I think burnout is what happens when people feel trapped in their situation,” she said. “And a lot of things can make you feel trapped and powerless.”

She mentioned ‘late stage capitalism’ as a key factor. This term started life in Werner Sombart’s early‑20th‑century idea of the capitalism emerging after WW1. But as the nature of capitalism has evolved, so has the use of Sombart’s term evolved – from ‘late capitalism’ into ‘late stage capitalism’, and from scholarly into more or less derogatory. The term is now used as an almost satirical comment on the absurdities of modern market economies.

“I think earlier in my career, I would have described burnout more as a failure to manage yourself. Now, I see people being trapped in situations that are exhausting and inescapable.” Exhausting because of the absurdities in modern global business, and inescapable because of personal situations such as commitments, or debts, or even immigration status.

“In burnout,” she continued, “I see people who have become trapped. The solution is not to give them a self-care instruction, like go home and use a bath bomb – the solution is to figure out why they’re trapped and help them escape the trap. Even if you don’t see the trap, they feel it; and just because a trap is invisible to you doesn’t make it less real.”

Advice

What helped Wheeler reach her current position as both a cybersecurity and thought leader? What advice did she receive on her journey?

“At a personal level,” she replied, “The best advice came from the boss I had at that time. I was in the midst of a massive cybersecurity crisis, and he said, “In two years, this is going to be a story you tell yourself about something that once happened to you.”

It’s one of those simple statements with a wide range of possible interpretations and applications. Don’t fret too much about a current crisis because firstly you’ll get beyond it and it will become history, and secondly you are not defined by a single happening, good or bad. “Apprenticing to a truly great leader,” she added, “is the best way I’ve seen for learning to be a leader yourself. And that’s the best personal advice I’ve ever received.”

At a technical level, she continued, “The best advice I ever got was from Jon Callas.” Callas co-founded PGP Corporation and developed IETF standards including OpenPGP and DKIM, after Phil Zimmerman had developed the original PGP. Together, the two of them and Mike Janke founded Silent Circle, where Wheeler was a systems architect.

“I was frantically rebuilding some NVIDIA drivers for Kubuntu just 15 minutes before doing a conference presentation, because my laptop wouldn’t output the slides that I wanted it to display. Jon said, ‘Your job is to explain this technology to other people. Your job isn’t to write this driver. It’s a waste of your time to keep rebuilding your computer every six weeks when you have a talent for making people understand cybersecurity.’”

The lesson: focus on what is actually time-efficient and necessary to do the job.

And the advice she would now pass on to others?

“Fail hard and fail often,” she suggested. “I’ve probably failed seven out of every ten things I’ve tried. I accept that. I’m not ashamed of my failures, and you shouldn’t be afraid of your own failures. In fact, have more failures, because increasing the number of your attempts, and the ratio of your acceptable failures to success, is how you get awesome success. And it’s an acceptable price.”

What now?

So, what now? Having come so far and done so much in cybersecurity, what worries Tarah Wheeler most today in or about cybersecurity?

“The truth,” she answered. “I worry about the lack of ground truth in cybersecurity.  I’m concerned about the inability to parse truth and facts from what we are told. The problem in cybersecurity is we don’t have industry benchmarks, and we don’t have industry statistics. I’m continually asked, what is the correct number of phishing tests to run? How should we manage our identity? How many attacks should we expect and accept each year versus paying to remove them? What is our ROI on cyber insurance?”

The cause, she continued, is, “We don’t have the relevant information because we’re bombarded by the media, by marketing from large companies with corporate data, and even from the government with white papers. None of this is actual science telling us the true impacts of international action, of user actions, of state threats, of APTs. We don’t have that because we don’t have a Bureau of Cyber Statistics in the US, because there is a lack of political will to create a source of truth.”

She clearly feels passionate about this. “Hell, NIST right now is under attack, and NIST was the last bastion of irrefutable evidence.” She refers to the major downsizing in NIST’s workforce instigated by the Department of Commerce as part of a broader federal push to downsize agencies. It started around the Spring of 2025, with the termination of more than 70, mostly ‘probationary’ staff. By the end of January 2026, CyberScoop reported, “The agency has shed more than 700 jobs since 2025, including 89 at a lab responsible for testing and validating the government’s encryption.” This is not internal restructuring, but government-enforced workforce downsizing.

“We don’t have central repositories and sources of truth, and as a result, we don’t have a firm footing upon which to make our decisions. That’s the thing that keeps me up at night. In cybersecurity, it is manifested by people in the media who substitute Gartner quadrants for facts; it is manifested in the way I can’t tell if what I’m reading on a previously respected journalistic outlet is in fact the truth, or if something is being excluded or added. Right now, it’s very difficult to tell if I am truly building my knowledge base, or if I’m just stacking hype on hype in my brain – and that is distressing.”

Related: Beyond the Hype: Questioning FUD in Cybersecurity Marketing

Related: CISO Conversations: Timothy Youngblood; 4x Fortune 500 CISO/CSO

Related: CISO Conversations: Keith McCammon, CSO and Co-founder at Red Canary

Related: CISO Conversations: John ‘Four’ Flynn, VP of Security and Privacy at Google DeepMind

https://www.securityweek.com/ciso-conversations-tarah-wheeler-cybersecurity-leader-thought-leader-and-original-thinker/




Linux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems

A newly disclosed Linux kernel vulnerability can be exploited to escape virtual machines (VMs) and execute code on the underlying host, security researchers warn.

Tracked as CVE-2026-53359 and referred to as Januscape, the security defect impacts the shadow MMU code in Linux Kernel-based Virtual Machine (KVM) hypervisor.

The guest-to-host vulnerability poses a major threat to multi-tenant x86 public clouds running untrusted guests and exposing nested virtualization. It is known to be the first KVM exploit that can be triggered on both Intel and AMD architectures.

The flaw was discovered by security researcher Hyunwoo Kim (@v4bel), who demonstrated it as a zero-day in Google kvmCTF, the bug bounty program that works like a CTF event and offers up to $250,000 for full VM escape weaknesses.

According to Kim, the vulnerability is a use-after-free vulnerability that can be triggered from the VM to corrupt the shadow page state of the host’s kernel.

Successful exploitation of Januscape, the researcher explains, can lead to the full compromise of the host on which the VM is running.

Advertisement. Scroll to continue reading.

“For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE),” Kim explains.

On certain Linux distributions, such as Red Hat Enterprise Linux (RHEL), the security defect can be exploited by unprivileged users to escalate their privileges to root.

Januscape’s exploitation requires root privileges on the guest machine, which is typically available by default when a user is allocated a VM instance on a public cloud. If root access is not available, an attacker could chain the flaw with a privilege escalation bug, such as Dirty Frag, Kim says.

CVE-2026-53359 stayed dormant in the Linux kernel for 16 years. It was patched in mainline on June 19, when commit 81ccda30b4e8 was merged.

Related: Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

Related: ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access

Related: Organizations Warned of Exploited Linux Kernel Vulnerability

Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access

https://www.securityweek.com/linux-kernel-vulnerability-allows-vm-escape-on-intel-and-amd-systems/




Keyfactor Scores $1 Billion+ Investment for AI, Post-Quantum Security

Keyfactor, which helps organizations connect humans, machines, and AI with cryptographic security, has secured a strategic growth investment exceeding $1 billion.

The massive capital injection comes as enterprises are grappling with what is sometimes described as “identity sprawl“, where machine identities can significantly outnumber human identities.

Rather than relying on isolated, fragmented security tools, Keyfactor offers an end-to-end platform called the Trust Control Plane. The unified platform provides centralized visibility into cryptographic assets and automates the lifecycle management of machine identities across cloud, hybrid, and on-premises environments and safeguarding everything from standard devices to autonomous AI agents.

The newly injected capital is earmarked to accelerate Keyfactor’s global operations, advance product innovation, expand its geographic footprint, scale its team, and fund potential strategic acquisitions.

The funding round was led by growth equity firm Summit Partners.

The urgency around post-quantum readiness has intensified following the White House’s June 2026 executive order, which mandate an accelerated federal transition to quantum-safe cryptography ahead of a 2030 deadline.

Advertisement. Scroll to continue reading.

“In our view, the convergence of post-quantum preparation, agentic AI governance, shrinking certificate lifespans, and evolving regulatory expectations is creating an increasingly urgent need for a unified, enterprise-grade platform,” said Andy Collins, Managing Director at Summit Partners.

The company currently manages billions of machine identities annually for a client base exceeding 2,500 organizations worldwide.

Following the investment transaction, existing backers Insight Partners and Sixth Street Growth will retain significant ownership stakes in Keyfactor.

RelatedGoogle Slashes Quantum Resource Requirements for Breaking Cryptocurrency Encryption

RelatedQuantum Bridge Raises $8 Million for Quantum-Safe Key Distribution Solution

RelatedQuantum Decryption of RSA Is Much Closer Than Expected

https://www.securityweek.com/keyfactor-scores-1-billion-investment-for-ai-post-quantum-security/




Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks

Securonix has uncovered a sophisticated multi-stage malware delivery framework that uses compromised websites and social engineering to infect users with information stealers.

Dubbed Veil#Drop, the framework combines JavaScript launchers and PowerShell download cradles for the deployment and execution of malware hosted on Blogspot, Google’s trusted infrastructure.

The infection chain begins with a JavaScript file posing as a document, designed to launch PowerShell code and evade execution policies. The PowerShell retrieves additional payloads from attacker-controlled Blogspot pages.

The Blogspot-hosted payload displays a decoy document, terminates specific processes, and decrypts embedded content. The decoded code generates additional Blogspot URLs and executes subsequent payloads directly in memory.

“A second-stage loader contains XOR-encoded .NET assemblies stored as large embedded data blobs that are reconstructed and decrypted at runtime, preventing straightforward static analysis and reducing the effectiveness of signature-based detection mechanisms,” Securonix explains.

The sophisticated infection chain also contains several fallback mechanisms, abusing trusted Microsoft-signed binaries for code execution and defense evasion.

Advertisement. Scroll to continue reading.

“The combination of compromised websites, multi-extension masquerading, trusted cloud services, XOR-obfuscated payloads, reflective .NET loading, fileless execution, and LOLBIN abuse demonstrates a deliberate effort to evade traditional antivirus solutions, reduce forensic artifacts, and maintain operational stealth throughout the infection lifecycle,” Securonix notes.

In the end, the victim’s machine is infected with PureLog Stealer, a .NET-based information stealer that performs system reconnaissance and starts harvesting data from Google Chrome. Microsoft Edge, Firefox, Brave Browser, Opera, and Chromium-based browsers.

The malware targets credentials, cookies, autofill data, session tokens, browsing histories, and other sensitive information stored in the browsers. It also searches for cryptocurrency wallet information on the victim’s machine.

Additionally, PureLog Stealer can harvest information from messaging applications, email clients, remote access software, FTP clients, cloud storage applications, developer tools, and password managers. The malware packages the harvested information and sends it to attacker-controlled servers in an encrypted form.

Given PureLog Stealer’s extensive data harvesting capabilities, a single infected workstation could lead to broader environment compromise, depending on the credentials, tokens, keys, and other secrets stored on the system.

“In enterprise environments, information stealers are frequently the first stage of larger intrusion campaigns. Stolen credentials may later be used to deploy ransomware, conduct data theft operations, perform business email compromise attacks, or facilitate long-term espionage activities,” Securonix notes.

Related: Critical SimpleHelp Vulnerability Exploited for Malware Delivery

Related: CryptoBandits Malware Doubles as a Backdoor, Abuses Tor

Related: Rokarolla Banking Trojan Targets 200 Applications

Related: Infostealers Turn Millions of Devices Into Credential Theft Machines

https://www.securityweek.com/blogspot-hosted-payloads-delivered-in-veildrop-attacks/




The Shift Toward Business-Aligned Risk Management

In the movie Moneyball, the Oakland A’s didn’t need more data; they needed to know which data actually won games. Risk assessment data has the same problem. A CVSS score of 9.1 might mean little to a CFO; the fact that it represents a vulnerability in a payment system processing $2 million daily means a great deal. This data must therefore link to information about operational disruptions that can cause financial loss, product delays, or draw the ire of regulatory authorities, for it to become more actionable.

A More Connected Risk Lifecycle is the Way Forward

Periodic risk assessment cannot keep pace with a dynamic threat landscape, underpinned by a volatile geopolitical environment and emerging technologies such as AI and quantum computing. Information risk management must instead become an ongoing process that connects risks, how well controls are working, and the potential consequences for the business if the controls don’t work.

Different risks have varying levels of impact, available data, and stakeholder needs.; therefore, the depth of analysis also varies. There are two analysis tracks you can use for this purpose. Qualitative analysis works when you need a fast decision with limited data, such as quickly rating the risk of a new SaaS vendor during procurement. Quantitative analysis fits when investment decisions need financial backing, e.g., deciding whether money spent on endpoint detection is justified given the projected cost of a ransomware incident. The IRAM3 methodology brings both tracks into a single unified framework that follows the same process flow end-to-end and is designed to be modular, so organizations can enter at whichever phase best fits their immediate needs.

The Shift Towards Business-Aligned Risk Management

A connected risk lifecycle changes how organizations understand business impact, interpret threats, evaluate controls, measure exposure, and compare treatment options. More importantly, it keeps these activities connected rather than treating each assessment as an isolated exercise.

Establish Business Impact

Ideally, related assets must be grouped by the business function they support, e.g., trading floor, customer data environment, or a payment gateway. This allows teams to conduct risk assessments that tie to how the business actually operates. This will help define your risk appetite. E.g., certain features of a stock trading platform failing during peak trading are a high-impact risk and can inflict significant financial loss and reputational harm.

Advertisement. Scroll to continue reading.

Analyze Threat Events

Knowing your asset environment is just half the picture. The next step is to identify what threatens your assets, map relevant threats to critical assets, and estimate how likely they are to materialize. From the quantitative perspective, you move from a rating to assign a three-point frequency estimate, including minimum, most likely, and maximum. This estimate represents the number of loss events you’d expect in a year.

Testing Control Effectiveness

A company might report full multifactor authentication coverage, but if privileged service accounts are excluded because enabling MFA broke a legacy integration, that gap is a direct route into critical systems. Controls must therefore be mapped to specific threats, assessed for how well they are implemented, and evaluated for whether they actually reduce risk.

Two questions matter most: does the control reduce the likelihood of a threat materializing, and does it limit the damage if the threat does occur? Both dimensions are needed. A control that contains an incident but does nothing to prevent it is only half effective, and investment decisions should reflect that.

Risk Analysis and Calculation

Two risks labeled high-impact risks might look very different if you dig a little deeper. One risk could result in a probable $1 million loss, and the other, with a smaller chance of occurring, could result in losses exceeding $10 million. The same label is muddying the waters around risk and hiding a material difference in capital exposure.

Qualitative ratings plotted on a risk matrix give a fast directional view. Quantitative modeling using simulation techniques to generate a probability distribution of potential losses reveals which threats drive the greatest financial exposure and where treatment effort should be concentrated. Both views have their place, and it’s not about choosing one over the other.

Treatment by Business Value

Treatment starts by comparing your current risk exposure against your appetite for it, then deciding how to respond. A retailer might have to choose between stronger fraud controls, introducing more controls to the payment process, or purchasing more insurance. Risk modeling will help determine how each control affects expected loss and customer friction, thus helping commit to a treatment plan that makes more sense for your business. Business leaders can test and compare alternatives rather than committing to the first acceptable plan. E.g., Insurance can reduce financial consequences, but it cannot restore operations, customer trust, or regulatory standing.

Turn Plans into Measurable Improvement

Once you have a remediation plan, implement it, verify completion, and evaluate the remaining risk. Imagine a manufacturer implementing network segmentation but not verifying if the key production system can be isolated.

All actions should have ownership, deadlines, and provide evidence of efficacy. If there is residual exposure, it must be reassessed against risk appetite, and treatment initiated if necessary.

As your business grows, dependencies change, and your existing security posture may be unable to address emerging threats. Controls will have to move in step. Risk information must therefore be continuously reviewed, communicated, and improved. The goal is not a more polished register, but a repeatable way to direct resources, protect business outcomes, and make uncertainty an informed part of enterprise strategy. In a volatile landscape, the organizations that win won’t be those that avoid risk entirely, but those that master the data required to navigate it.

https://www.securityweek.com/the-shift-toward-business-aligned-risk-management/