Marius Avram

A leak has provided an unprecedented glimpse into the internal operations of the ransomware-as-a-service group known as "The Gentlemen". The group operated with a relatively small core team and recruited technical affiliates. Operators communicated via Tox protocol in addition to the Rocket.Chat. The primary initial access vector across all confirmed intrusions was CVE-2024-55591, a pre-authentication bypass in FortiOS/FortiProxy affecting HTTPS management interface and SSL-VPN. In some rare cases, the group obtained valid Okta credentials from commercial infostealer log markets, bypassing VPN/perimeter controls entirely. VERY cool report:

The Google Threat Intelligence Group has detected the first known instance of a threat actor using an AI-developed zero-day exploit in the wild. While the attackers planned a wide-scale strike, our proactive counter-discovery may have prevented that from happening. This finding is part of our new report on AI-powered threats.

‼️🚨 Microsoft has patched a critical Windows DNS Client remote code execution vulnerability that allows an unauthorized attacker to execute code over a network. All it takes is a malicious DNS response. The vulnerability is tracked as CVE-2026-41096 with a CVSS score of 9.8. It is a heap-based buffer overflow in dnsapi.dll, the Windows component that processes DNS answers on every machine. To trigger it, an attacker needs a position where they can influence DNS responses: a rogue DNS server, a poisoned resolver, a compromised router, hostile WiFi, or a man-in-the-middle placement. That puts ordinary Windows DNS activity in the blast radius. Browsers, VPN clients, enterprise apps, update checks, and background services constantly ask DNS where to connect. The vulnerable processing sits in the Windows DNS Client path, not an edge-facing server product. Microsoft assessed exploitation as "less likely," and Rapid7 lists the issue as not publicly disclosed and not known to be exploited at release. On the contrary, a 9.8 unauthenticated network RCE in DNS client handling is exactly the kind of bug defenders should assume will be reverse-engineered quickly. Defenders should: - Deploy the May 2026 cumulative updates and confirm coverage across endpoints and servers - Restrict DNS traffic to trusted resolvers where possible - Monitor Dnscache and svchost.exe for abnormal child processes or unexpected outbound activity - Treat public WiFi and untrusted resolver paths as higher-risk until patching is complete

Behind the Scenes Hardening Firefox with Claude Mythos Preview: hacks.mozilla.org/2026/05/behind…

We've just released a high fidelity scanner for CVE-2026-41940 (cPanel/WHM authentication bypass). All public PoCs so far lead to false negatives, and are not reliable. @SLCyberSec's research team's notes on this here: slcyber.io/research-cente… & tool here: github.com/assetnote/cpan…

🚨 PATCH NOW: A Firefox bug let attackers fingerprint your browser and follow you even in Private Browsing, and in Tor browser even after a "New Identity." The vulnerability made it possible for unrelated websites to independently observe the same fingerprint and quietly link your activity across them. Mozilla patched CVE-2026-6770 on April 21, 2026 in Firefox 150, ESR 140.10, and Thunderbird. The Tor Project shipped Tor Browser 15.0.10 with the fix. If you are still on an older build, your Private Browsing wasn't private and your Tor session wasn't either. Update now.

#Udemy data breach confirmed. After refusing to pay the ransom, hackers released data of 1.4M users, including personal and financial details. We @DarkEntryAms launched a lookup tool so you can check if you’re affected: darkentry.net/latest-breache… #DataBreach #Ransomware

GPT-5.5 is dramatically changing how AI performs in security testing. In our evals, it cut missed vulnerabilities to 10% (down from 40% in GPT-5). That’s not incremental; it’s a step change. Our Head of AI, Albert Ziegler, shares more in this @thenewstack article from @psawers: bit.ly/41OTPUZ

Anthropic's Mythos has been accessed by a small group of unauthorized users, raising questions about control of the AI model bloomberg.com/news/articles/…

Claude Tried to Hack 30 Companies. Nobody Asked It To. - @trufflesec trufflesecurity.com/blog/claude-tr…

🤨

🛑 A design flaw in Anthropic’s MCP allows remote command execution on AI systems. 150M+ downloads affected as unsafe STDIO defaults expose 7,000+ services, including tools like LangChain and Flowise. Anthropic calls the behavior “expected,” leaving the risk across the AI supply chain. 🔗 Read → thehackernews.com/2026/04/anthro…

We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems, impacting a limited subset of customers. Please see our security bulletin: vercel.com/kb/bulletin/ve…

Firefox Security & Privacy Newsletter 2026 Q1 attackanddefense.dev/2026/04/14/Fir…

We asked Claude to audit Sagredo's qmail. It found a RCE. All it took was a single prompt. open.substack.com/pub/calif/p/we…

LOL -> NIST shifts National Vulnerability Database to risk-based triage as CVE submissions hit record levels! siliconangle.com/2026/04/15/nis…

HAProxy HTTP/3 -> HTTP/1 Desync: Cross-Protocol Smuggling via a Standalone QUIC FIN (CVE-2026-33555) r3verii.github.io/cve/2026/04/14…

Introducing Claude Opus 4.7, our most capable Opus model yet. It handles long-running tasks with more rigor, follows instructions more precisely, and verifies its own outputs before reporting back. You can hand off your hardest work with less supervision.

‼️🇪🇺 The EU's new Age Verification app was hacked with little to no effort. When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened. It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.

Another zero day exploit released by some nerd (can't remember name right now) because they're annoyed with Microsoft. It's been confirmed by other nerds. It is yet another legit zero day. Whew. github.com/Nightmare-Ecli…