Stay up to date on critical cyber risks, Microsoft’s June Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 206 vulnerabilities disclosed 
  – 33 rated Critical, 3 are Zero-Day (publicly disclosed).
  – Microsoft has patched a larger than average number of critical vulnerabilities this month, including flaws previously disclosed by security researcher Nightmare Eclipse. 

• Advisories from Major Vendors: 
  – Adobe: 123 vulnerabilities patched across 11 products 
  – Cisco: 1 critical-severity flaw with a proof-of-concept exploit available, 1 high-severity flaw which is being actively exploited 
  – Fortinet: 1 critical-severity flaws in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS 
  – Ivanti: 2 critical-severity flaws in Ivanti Sentry and 2 high-severity flaws in Ivanti Endpoint Manager Mobile 
  – SAP: 4 critical vulnerabilities in SAP NetWeaver AS ABAP/ABAP Platform, SAP Commerce Cloud and SAP Data Hub 
  – VEEAM: 1 critical-severity flaw patched in Veeam Backup & Replication 12.3.2.4465 

• Top Threats to Watch: 
  – AI-powered attacks accelerating – Adversaries are increasingly using AI to discover vulnerabilities, build exploits (including zero-days), and automate intrusion workflows, making attacks faster and more scalable. 
  – Trusted platform abuse for delivery and evasion – Attackers are leveraging legitimate services (ChatGPT, Claude, Dropbox, GitHub, Salesforce) to host malware, evade detection, and bypass traditional security controls. 
  – Credential and session hijacking evolving beyond passwords – New phishing kits and exploits target OAuth tokens, GitHub tokens, and MFA bypass techniques, enabling persistent access without needing credentials. 
  – Social engineering + vishing as primary initial access vectors – Highly targeted campaigns use phone calls, staged conversations, and impersonation (IT support, customers) to bypass technical defenses and gain access quickly. 
  – Critical infrastructure & edge systems under active exploitation – Severe vulnerabilities (VPN auth bypass, RCE chains, endpoint security flaws) are being actively exploited, often leading to full system compromise or root access. 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices  
  – Increased exposure to vulnerabilities and compliance risks  
  – Continued support requires either: 1.) Enrolling in Microsoft’s paid ESU program, or 2.) Upgrading to Windows 11

• Upgrading Windows 11  
  Unlike traditional feature upgrades, Windows 11 25H2 is built on the same servicing branch and code base as Windows 11 24H2, making the transition simpler and lower risk.  
  
  Fortress has thoroughly tested Windows 11 25H2 and recommends upgrading all supported devices. To begin the upgrade process, contact our 24/7/365 Security Operations Team or reach out to your client experience manager.  

Windows 11 End of Support

As of November 2025, Microsoft has officially ended support for earlier versions of Windows 11 (listed below).

• Windows 11 version 21H2 (All Editions) 
• Windows 11 version 22H2 (All Editions) 
• Windows 11 version 23H2 (Home & Pro) 

We would also like to highlight several upcoming End of Support dates for the following Windows releases: 

• Windows 11 version 23H2 (Enterprise & Education) – Support ends November 10, 2026. After this date, these editions will no longer receive security updates or fixes. 
• Windows 11 version 24H2 (Home & Pro) – Support ends October 13, 2026. Devices running these editions should be upgraded before this date to remain supported and secure. 

Fortress recommends reviewing device inventories ahead of these deadlines to ensure systems are upgraded in advance and remain within a supported lifecycle. 

* Some specialized editions of Windows 11 24H2 (e.g. Long Term Support Cycle) will continue to receive extended support through 2029. However, for all other editions we recommend upgrading to Windows 11 25H2.  

Windows Server 2016 End of Support

Support for Windows Server 2016 is scheduled to end on January 12, 2027, which is now less than a year away. After this date, Microsoft will no longer provide security updates, bug fixes, or technical support for the platform. 

Organizations still running Windows Server 2016 should begin planning upgrade or migration strategies to avoid increased security risk and compliance concerns once support ends. 

Fortress recommends reviewing affected systems early to allow sufficient time for testing, upgrades, or workload migration before the end-of-support deadline. 

Need help planning your transition?

Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft June 2026 Patch Tuesday 
206 vulnerabilities disclosed, including 33 critical and 3 publicly-disclosed zero-days. By category: 

• 65 Elevation of Privilege 
• 55 Remote Code Execution 
• 30 Information Disclosure 
• 27 Spoofing 
• 19 Security Feature Bypass 
• 7 Denial of Service 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero Days

Other Critical CVE’s Worth Mentioning

Microsoft June 2026 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Cisco *

Cisco Security Advisories

Fortinet *

Fortinet PSIRT Advisories

Ivanti *

Ivanti June 2026 Security Update

SAP *

SAP June 2026 Security Notes

VEEAM

VEEAM Security Advisory

Google Chrome 

• Version: 149.0.7827.102/.103 (Windows and Mac), 149.0.7827.102 (Linux) 
• Release Date: Monday, June 8, 2026 
• Key Fixes: 74 security fixes including 17 critical, 55 high severity vulnerabilties   

Chrome Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – June 2026

The following resources are grouped by threat type / category. 

AI-Enabled / Emerging Threats

Charter Communications Data Breach Affects 4.9 Million Accounts 
A ShinyHunters-linked attack exposed millions of Charter customer records via a compromised employee account and Salesforce data theft, though the company disputes that highly sensitive data was taken. The breach highlights ongoing vishing risks and targeted attacks on SaaS platforms.
Read more

Webworm: New Burrowing Techniques 
ESET researchers reveal how the Webworm APT group is evolving its toolkit with stealthier proxy-based infrastructure and new backdoors using Discord and Microsoft Graph API for command-and-control, expanding operations into Europe. The campaign highlights increased use of cloud services and living-off-the-land tactics to evade detection.  
Read more

ReliaQuest Uncovers China-Linked Espionage Cluster “OP-512” 
ReliaQuest researchers identified a new China-linked threat cluster using advanced, stealthy web shell techniques on IIS servers, designed to evade detection through encryption, unique builds, and covert DNS signaling. The operation reflects long-term espionage goals and increasing sophistication in persistence and defense evasion.  
Read more

Adversaries Leverage AI for Vulnerability Exploitation and Initial Access 
Google researchers highlight how threat actors are increasingly using AI to discover vulnerabilities, develop exploits (including zero-days), and automate attack workflows, while also targeting AI systems themselves for initial access. The report underscores AI’s growing role in enabling scalable, adaptive, and stealthier cyber operations.  
Read more

FBI Warns of Spoofed FIFA Websites Ahead of 2026 World Cup 
The FBI issued a warning about attackers creating fake FIFA-themed websites to steal personal data and sell fraudulent tickets, using typo-squatting domains and deceptive ads to lure victims. Users are advised to verify URLs carefully and avoid clicking sponsored or suspicious links.  
Read more

Social Engineering & Phishing

Targeted Campaign Against US Law Firms (UNC3753 / Luna Moth) 
A financially motivated threat group is targeting U.S. law firms using vishing and social engineering to trick employees into granting remote access, followed by rapid data theft and extortion. The campaign highlights the growing effectiveness of human-focused intrusion methods and even includes rare instances of physical office infiltration.  
Read more

LLMShare Malvertising Campaign Uses AI Chat Platforms for Malware Delivery 
Attackers are abusing shared ChatGPT and Claude pages hosted on trusted domains to distribute malware via malvertising, including fake service notices that redirect users to malicious downloads. This technique bypasses traditional security checks by leveraging legitimate AI platforms and highly convincing social engineering.  
Read more

Massive Smishing Campaign Targets Governments, Postal Services, and Telecoms 
A large-scale smishing operation spanning 19 countries leveraged thousands of phishing domains and shared infrastructure to impersonate government portals, delivery services, and telecom providers to steal payment card data. The campaign used highly convincing multi-stage phishing flows and reusable templates to scale globally.  
Read more

Vibe Hacking: AI-Augmented Campaigns Target Latin America 
Trend Micro details two emerging campaigns using agentic AI to automate full attack lifecycles—from initial access to data exfiltration—against government and financial organizations in Latin America, highlighting a shift toward AI-driven, dynamically generated tools and stealthier intrusion techniques.  
Read more

Kimsuky Spear-Phishing Campaign Masquerades as Data Breach Inquiry 
Researchers uncovered a targeted spear-phishing campaign linked to the North Korea–aligned Kimsuky group, using staged email conversations and fake “data breach” inquiries to trick security staff into opening malicious LNK attachments. The malware employs multi-stage infection chains, cloud-based C2 (Dropbox), and evasion techniques to steal system data and maintain persistence.  
Read more

FBI Warns of Kali365 Phishing-as-a-Service Targeting Microsoft 365 
The FBI alerted organizations to Kali365, a phishing-as-a-service toolkit that steals Microsoft 365 OAuth tokens via legitimate login pages, effectively bypassing MFA and granting persistent account access. The platform lowers the barrier for attackers with ready-made phishing kits and automation tools.  
Read more

Vulnerabilities & Exploits

1-Click GitHub Token Stealing via a VSCode Bug 
A VSCode/web (github.dev) vulnerability allowed attackers to steal GitHub OAuth tokens with a single malicious link by abusing webview keybinding events to install a rogue extension. This could grant access to private repositories, though Microsoft quickly issued fixes after disclosure. 
Read more

Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis 
Researchers detail a critical цеп strong chain of vulnerabilities in UniFi OS that allows unauthenticated attackers to achieve full root access via authentication bypass and command injection, exposing network control and sensitive secrets. The blog also provides detection techniques and emphasizes urgent patching and secret rotation. 
Read more

Redis CVE-2026-23479 Deep Dive
This analysis explores a critical Redis vulnerability that can be exploited for unauthorized access or code execution, breaking down root cause, exploitation techniques, and potential impact. It also highlights mitigation strategies and emphasizes proper configuration and patching. 
Read more

Check Point Releases Hotfix for IKEv1 VPN Vulnerabilities 
Check Point issued an urgent patch for critical flaws in the deprecated IKEv1 VPN protocol, including an actively exploited authentication bypass that allows attackers to gain VPN access without valid credentials. Organizations are urged to update immediately and migrate away from IKEv1 due to ongoing exploitation risks.  
Read more

Microsoft Warns of New Defender Zero-Days Exploited in Attacks 
Microsoft patched two actively exploited zero-day vulnerabilities in Defender that enable privilege escalation and denial-of-service, prompting urgent mitigation guidance and a federal mandate to patch affected systems.  
Read more

Dashlane Users Locked Out After Brute-Force Attacks 
Dashlane confirmed that attackers launched brute-force login attempts against user accounts, triggering automated security lockouts to prevent unauthorized access, though no systems were compromised. The incident highlights how protective account defenses can disrupt users while blocking credential-stuffing activity.  
Read more

Recommended Actions

Mitigations

• Patch and upgrade critical systems immediately (VPNs, UniFi OS, endpoint security tools) and deprecate insecure protocols like IKEv1.  
• Restrict exposure of management interfaces and enforce network segmentation for internet-facing systems.  
• Disable or limit risky authentication flows (e.g., device code flow) and enforce strong MFA and token protections.  
• Block or strictly control use of remote access tools (RMM, screen sharing) and enforce application allowlisting.  
• Educate users on phishing, smishing, and malvertising risks, especially involving “trusted” platforms and urgent scenarios. 

Monitoring

• Monitor authentication logs for anomalous behavior (impossible travel, new devices, excessive login attempts, token anomalies).  
• Track unusual outbound traffic to cloud storage, SaaS platforms, or AI service domains used as C2 channels.  
• Alert on suspicious DNS queries, long encoded domains, or abnormal web server activity indicative of web shells.  
• Watch for installation or execution of unauthorized tools (RMM agents, tunneling utilities, scripting engines).  
• Monitor user behavior within SaaS/enterprise apps for large data exports or abnormal access patterns. 

Detection Tips

• Detect phishing patterns involving device codes, shared chatbot links, or staged conversations/social engineering chains.  
• Identify command injection, RCE attempts, and exploitation chains targeting exposed services and APIs.  
• Hunt for suspicious endpoint behavior such as PowerShell execution, LNK file launches, or encoded/obfuscated scripts.  
• Flag abnormal process behaviors (e.g., web servers spawning shells, privilege escalation activity, reflective loading).  
• Detect AI-assisted or polymorphic malware through behavior-based analytics rather than signatures alone. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy

The post Threat and Security Update – June, 2026 appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s May Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 137 vulnerabilities disclosed 
  – 17 rated Critical, no zero-day flaws have been disclosed this month 

• High-Severity Advisories from Major Vendors: 
  – Adobe: 52 vulnerabilities patched across 10 products 
  – Cisco: 4 high-severity flaws, affecting Cisco IoT Field Network Director Software, Cisco Crosswork Network Controller (CNC) and Cisco Network Services Orchestrator (NSO), Cisco 350 Series Managed Switches (SG350) and Cisco 350X Series Stackable Managed Switches (SG350X), and Cisco Unity Connection 
  – Fortinet: 1 critical-severity flaw and 1 high-severity flaw in FortiSandbox and FortiOS 
  – Ivanti: 1 critical-severity flaw, 4 high-severity flaws, and 2 medium-severity flaws disclosed in Ivanti Secure Access Client, Ivanti Xtraction, Ivanti Virtual Traffic Manager, and Ivanti Endpoint Manager (EPM) 
  – SAP: 2 critical-severity and 1 high-severity vulnerabilities in SAP S/4HANA, SAP Commerce, and SAP Forecasting & Replenishment 
  – Apple: Multiple iOS releases addressing security vulnerabilities 

• Top Threats to Watch: 
  – AI-powered attack automation is accelerating – Campaigns like Bissa Scanner and Vibe Hacking show how adversaries are using AI to scale exploitation, generate tools, and automate full intrusion workflows with minimal skill barriers.  
  – Trust boundaries in automation (CI/CD) are breaking – The Gemini CLI flaw highlights how implicit trust in pipelines can lead to full remote code execution and supply chain compromise from simple input manipulation.  
  – Phishing is evolving into multi-stage access operations – Fake invitation campaigns combine credential theft, MFA bypass, and legitimate remote access tools, making early detection much harder.  
  – Legitimate tools continue to be weaponized post-compromise – From RMM software to collaboration platforms like Teams, attackers are blending into normal operations to evade detection and maintain access.  
  – Post-compromise privilege escalation remains critical – Exploits like Dirty Frag show that once initial access is gained, reliable local privilege escalation can quickly lead to full system/root control. 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices  
  – Increased exposure to vulnerabilities and compliance risks  
  – Continued support requires either: 1.) Enrolling in Microsoft’s paid ESU program, or 2.) Upgrading to Windows 11

• Upgrading Windows 11  
  Unlike traditional feature upgrades, Windows 11 25H2 is built on the same servicing branch and code base as Windows 11 24H2, making the transition simpler and lower risk.  
  
  Fortress has thoroughly tested Windows 11 25H2 and recommends upgrading all supported devices. To begin the upgrade process, contact our 24/7/365 Security Operations Team or reach out to your client experience manager.  

Windows 11 End of Support

As of November 2025, Microsoft has officially ended support for earlier versions of Windows 11 (listed below).

• Windows 11 version 21H2 (All Editions) 
• Windows 11 version 22H2 (All Editions) 
• Windows 11 version 23H2 (Home & Pro) 

We would also like to highlight several upcoming End of Support dates for the following Windows releases: 

• Windows 11 version 23H2 (Enterprise & Education) – Support ends November 10, 2026. After this date, these editions will no longer receive security updates or fixes. 
• Windows 11 version 24H2 (Home & Pro) – Support ends October 13, 2026. Devices running these editions should be upgraded before this date to remain supported and secure. 

Fortress recommends reviewing device inventories ahead of these deadlines to ensure systems are upgraded in advance and remain within a supported lifecycle. 

* Some specialized editions of Windows 11 24H2 (e.g. Long Term Support Cycle) will continue to receive extended support through 2029. However, for all other editions we recommend upgrading to Windows 11 25H2.  

Windows Server 2016 End of Support

Support for Windows Server 2016 is scheduled to end on January 12, 2027, which is now less than a year away. After this date, Microsoft will no longer provide security updates, bug fixes, or technical support for the platform. 

Organizations still running Windows Server 2016 should begin planning upgrade or migration strategies to avoid increased security risk and compliance concerns once support ends. 

Fortress recommends reviewing affected systems early to allow sufficient time for testing, upgrades, or workload migration before the end-of-support deadline. 

Need help planning your transition?

Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft May 2026 Patch Tuesday 
137 vulnerabilities disclosed, including 17 critical and 0 zero-days. By category: 

• 61 Elevation of Privilege 
• 31 Information Disclosure 
• 15 Remote Code Execution 
• 14 Security Feature Bypass 
• 8 Denial of Service 
• 6 Spoofing 
• 2 Tampering 

Critical Common Vulnerabilities and Exposures (CVEs)

Critical CVE’s Worth Mentioning

Microsoft May 2026 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Cisco *

Cisco Security Advisories

Fortinet *

Fortinet PSIRT Advisories

Ivanti *

Ivanti May 2026 Security Update

SAP *

SAP May 2026 Security Notes

Apple**

• Version: iOS 26.5 and iPadOS 26.5, iOS 18.7.9 and iPadOS 18.7.9, iPadOS 17.7.11, iOS 16.7.16 and iPadOS 16.7.16, iOS 15.8.8 and iPadOS 15.8.8, macOS Tahoe 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, tvOS 26.5, watchOS 26.5, visionOS 26.5 
• Release Date: Monday, May 11, 2026 
• Release Notes: Addresses more than 50 security vulnerabilities in iOS 26.5 and around 70 security updates for macOS Tahoe 26.5. There were no known actively exploited bugs. 

Apple Release Notes

Google Chrome 

• Version: 148.0.7778.167/168 (Windows and Mac), 148.0.7778.167 (Linux) 
• Release Date: Tuesday, May 12, 2026 
• Previous Version Release Notes: Chrome version 148.0.7778.96 (Linux) and 148.0.7778.96/97 (Windows/Mac)released on May 5^th, 2026, contained 127 security flaws including 3 critical-severity and 31 high-severity.  

Chrome Release Notes

Mozilla FireFox

• Version: Firefox 150.0.3 
• Release Date: Tuesday, May 12, 2026 
• Key Fixes: 5 High CVE’s – CVE-2026-8388, CVE-2026-8389, CVE-2026-8390, CVE-2026-8391, and CVE-2026-8401 

* Not handled by Fortress SRM. 
** MacOS handled by Fortress SRM, iOS not handled by Fortress SRM.

Threat Intelligence Trends – May 2026

The following resources are grouped by threat type / category. 

AI-Enabled / Emerging Threats

AI-Powered Exploitation Accelerates Initial Access in Cyberattacks 
Google Threat Intelligence reports that attackers are using AI to discover vulnerabilities, generate exploits, and scale initial access operations, including the first observed AI-developed zero-day.  
Read more

Bissa Scanner: AI‑Assisted Mass Exploitation & Credential Harvesting 
An exposed attacker server revealed a highly automated operation using AI tools to scan millions of systems, exploit vulnerabilities, and harvest large volumes of credentials, with over 900 confirmed compromises.  
Read more

Vibe Hacking: AI‑Augmented Campaigns Targeting Latin America 
Two campaigns (SHADOW‑AETHER‑040 and ‑064) leveraged agentic AI to automate full attack chains—from initial access to data exfiltration—against government and financial organizations in Latin America.  
Read more

Social Engineering & Phishing

Cross-Tenant Helpdesk Impersonation → Human-Operated Data Exfiltration 
Threat actors abuse Microsoft Teams external access to impersonate IT helpdesk staff, trick users into granting remote access, then use legitimate tools and protocols to move laterally and exfiltrate sensitive data while blending into normal activity.  
Read more

US Fake Invitation Phishing Campaign 
A large-scale phishing campaign targeting U.S. organizations uses fake event invitations and CAPTCHA pages to trick users into credential theft, OTP interception, or installing legitimate remote access tools.  
Read more

Operation TrustTrap: Large-Scale Domain Spoofing Campaign 
A massive phishing campaign leveraging 16,800+ spoofed domains abuses trust in government-style URLs to harvest credentials and payment data, focusing on human perception rather than technical exploits.  
Read more

Silver Fox Tax-Themed Phishing Campaign Deploys Multi-Stage Malware 
A cyberespionage campaign by the Silver Fox group uses fake tax audit emails to trick victims into downloading malicious files that deliver ValleyRAT and a new ABCDoor backdoor, enabling full remote access and data theft.  
Read more

Vulnerabilities & Exploits

VM2 Sandbox Escape Enables Remote Code Execution (CVE-2026-26956) 
A critical vulnerability in the Node.js sandbox allows attackers to escape the isolated environment and execute arbitrary commands on the host by exploiting WebAssembly exception handling flaws.  
Read more  

GitHub Enterprise Server RCE via Git Push Option Injection (CVE-2026-3854)
A high‑severity vulnerability allows attackers with repository push access to achieve remote code execution by injecting malicious data into unsanitized git push options that are processed as internal headers.
Read more

CVE-2026-42208: Targeted SQL Injection in LiteLLM Exploited Within 36 Hours 
A critical pre-auth SQL injection in LiteLLM’s authentication flow was actively probed just 36 hours after disclosure, with attackers performing targeted schema enumeration to access high-value secrets like API keys and credentials.  
Read more

 Hackers Exploit Canvas XSS Flaw to Deface School Portals 
Attackers leveraged cross-site scripting (XSS) vulnerabilities in Instructure’s Canvas LMS to hijack admin sessions and deface login portals with ransom messages, escalating pressure after an earlier data breach.  
Read more

Critical cPanel Authentication Flaw Prompts Emergency Mitigation by Namecheap 
A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel allowed unauthenticated attackers to gain full control of servers, prompting Namecheap to temporarily block panel access while deploying patches.  
Read more

Palo Alto PAN-OS Zero-Day Enables Root RCE on Firewalls 
A critical buffer overflow in the PAN‑OS User-ID Authentication Portal allows unauthenticated attackers to execute code with root privileges on affected firewalls, with active exploitation observed.  
Read more 

Apache ActiveMQ Jolokia Flaw Enables RCE (CVE‑2026‑34197) 
A high‑severity vulnerability in Apache ActiveMQ Classic allows attackers to execute arbitrary code by abusing the Jolokia management API to load malicious configurations, with some versions enabling unauthenticated exploitation.  
Read more

Copy Fail: 732 Bytes to Root on Every Major Linux Distribution 
A critical Linux kernel flaw (CVE‑2026‑31431) allows unprivileged users to gain root by corrupting the page cache of files, enabling reliable privilege escalation across nearly all Linux distributions since 2017.  
Read more

 APT28 Exploits Incomplete Patch → New Zero-Click Windows Vulnerability (CVE‑2026‑32202) 
Akamai uncovered that a Microsoft fix for a prior zero‑day (CVE‑2026‑21510) was incomplete, leaving behind a zero‑click authentication coercion flaw (CVE‑2026‑32202) that APT28 used to silently steal credentials.  
Read more

Dirty Frag: Linux Privilege Escalation via Page‑Cache Manipulation 
A Linux kernel vulnerability chain that enables unprivileged users to overwrite read‑only page‑cache memory and gain root access by exploiting two flaws in networking subsystems.  
Read more

Google Fixes CVSS 10 Gemini CLI CI RCE 
A critical vulnerability in Gemini CLI allowed attackers to inject malicious configuration in CI workflows and execute arbitrary commands on host systems due to unsafe workspace trust in headless mode.  
Read more

Recommended Actions

Mitigations

• Enforce strict trust boundaries in CI/CD pipelines (disable automatic trust of workspace content, require explicit approvals for external inputs)  
• Patch and update all exposed systems promptly (e.g., Gemini CLI, Linux kernel, internet-facing apps) 
• Move secrets out of easily accessible locations (e.g., .env files) and into secure secret managers 
• Restrict use of remote management tools (RMM) and enforce least privilege access controls 
• Implement strong MFA with phishing-resistant methods and conditional access policies 

Monitoring

• Monitor for unusual use of legitimate tools (RMM software, Teams, CLI agents) in non-standard contexts 
• Track suspicious activity in CI/CD pipelines, especially execution triggered by external pull requests or untrusted inputs 
• Watch for abnormal authentication patterns (e.g., OTP reuse, impossible travel, unusual login flows) 
• Monitor outbound traffic for data exfiltration or connections to uncommon storage/services (e.g., S3-like endpoints) 
• Log and review kernel/module loading activity and privilege escalation indicators on Linux hosts 

Detection Tips

• Alert on creation or modification of hidden config directories/files (e.g., .gemini/, phishing kit artifacts) 
• Detect CAPTCHA-gated phishing flows followed by authentication prompts 
• Identify anomalous execution chains involving trusted binaries/tools launched from unusual parent processes 
• Look for signs of page cache manipulation or sensitive file tampering (Linux LPE indicators) 
• Correlate multi-stage attacks: phishing → credential use → RMM deployment → lateral movement 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy

The post Threat and Security Update – May, 2026 appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s April Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 165 vulnerabilities disclosed 
  – 8 rated Critical, 2 are Zero-Day (1 being actively exploited, 1 being publicly disclosed) 

• High-Severity Advisories from Major Vendors: 
  – Adobe: 56 vulnerabilities affecting 11 products, one actively exploited zero-day for Adobe Acrobat  
  – Cisco: 3 critical-severity flaws, in Cisco Identity Services Engine (ISE), Cisco ISE Passive Identity Connector (ISE-PIC), and Cisco Webex Services 
  – Fortinet: 2 critical and 1 high-severity flaws in FortiSandbox and FortiAnalyzer 
  – Ivanti: 2 medium-severity flaws in Ivanti Neurons for ITSM 
  – SAP: 1 critical and 1 high vulnerabilities in SAP Business Planning and Consolidation, SAP Business Warehouse, SAP ERP and SAP S/4 HANA 
  – SonicWall: 1 high-severity flaw in SonicWall SMA1000 series appliances 

• Top Threats to Watch: 
  – Phishing‑as‑a‑Service that defeats MFA by design 
  – Mature platforms (e.g., Venom, EvilTokens, W3LL) are operationalizing AiTM, OAuth device‑code abuse, and token replay to reliably bypass MFA and achieve persistent access at scale. 
  – Rapid weaponization of zero‑days and N‑days 
  – Attackers are exploiting critical flaws within hours or days of disclosure—often before patches are widely deployed—dramatically shrinking defender response windows. 
  – Direct attacks on security controls (EDR/identity) 
  – Modern ransomware and intrusion campaigns increasingly disable endpoint security and identity telemetry early, blinding defenders before deploying follow‑on payloads. 
  – Abuse of trusted platforms and supply‑chain trust 
  – Legitimate tools and services (AI workflow automation, PaaS, software update mechanisms) are being weaponized to blend malicious activity into normal enterprise traffic. 
  – Expansion of cyber operations into high‑impact environments 
  – Threat activity is targeting government, critical infrastructure, and civil society through OT exploitation, hack‑for‑hire espionage, and large‑scale web application compromise. 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices  
  – Increased exposure to vulnerabilities and compliance risks  
  – Continued support requires either: 1.) Enrolling in Microsoft’s paid ESU program, or 2.) Upgrading to Windows 11

• Upgrading Windows 11  
  Unlike traditional feature upgrades, Windows 11 25H2 is built on the same servicing branch and code base as Windows 11 24H2, making the transition simpler and lower risk.  
  
  Fortress has thoroughly tested Windows 11 25H2 and recommends upgrading all supported devices. To begin the upgrade process, contact our 24/7/365 Security Operations Team or reach out to your client experience manager.  

Windows 11 End of Support

As of November 2025, Microsoft has officially ended support for earlier versions of Windows 11 (listed below).

• Windows 11 version 21H2 (All Editions) 
• Windows 11 version 22H2 (All Editions) 
• Windows 11 version 23H2 (Home & Pro) 

We would also like to highlight several upcoming End of Support dates for the following Windows releases: 

• Windows 11 version 23H2 (Enterprise & Education) – Support ends November 10, 2026. After this date, these editions will no longer receive security updates or fixes. 
• Windows 11 version 24H2 (Home & Pro) – Support ends October 13, 2026. Devices running these editions should be upgraded before this date to remain supported and secure. 

Fortress recommends reviewing device inventories ahead of these deadlines to ensure systems are upgraded in advance and remain within a supported lifecycle. 

* Some specialized editions of Windows 11 24H2 (e.g. Long Term Support Cycle) will continue to receive extended support through 2029. However, for all other editions we recommend upgrading to Windows 11 25H2.  

Windows Server 2016 End of Support

Support for Windows Server 2016 is scheduled to end on January 12, 2027, which is now less than a year away. After this date, Microsoft will no longer provide security updates, bug fixes, or technical support for the platform. 

Organizations still running Windows Server 2016 should begin planning upgrade or migration strategies to avoid increased security risk and compliance concerns once support ends. 

Fortress recommends reviewing affected systems early to allow sufficient time for testing, upgrades, or workload migration before the end-of-support deadline. 

Need help planning your transition?

Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft April 2026 Patch Tuesday 
165 vulnerabilities disclosed, including 8 critical and 2 zero-days. By category: 

• 93 Elevation of Privilege 
• 21 Information Disclosure 
• 20 Remote Code Execution 
• 13 Security Feature Bypass 
• 10 Denial of Service 
• 8 Spoofing 
• 2 Tampering 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

Microsoft April 2026 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Cisco *

Cisco Security Advisories

Fortinet *

Fortinet PSIRT Advisories

Ivanti *

Ivanti April 2026 Security Update

SAP *

SAP April 2026 Security Notes

SonicWall *

SonicWall Security Notes

Google Chrome 

• Version: 147.0.7727.101/102 (Windows and Mac), 147.0.7727.101 (Linux) 
• Release Date: Wednesday, April 15, 2026 
• Key Fixes: 5 critical-severity CVE’s, 22 high-severity CVE’s 

Chrome Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – April 2026

The following resources are grouped by threat type / category. 

Phishing‑as‑a‑Service & Credential Theft Platforms 

W3LL Unmasked: The takedown of a global phishing-as-a-service ecosystem 
Group-IB outlines how years of investigation into the W3LL operation led to the disruption of a sophisticated phishing-as-a-service ecosystem that enabled large-scale business email compromise by bypassing MFA and selling stolen access. The takedown, carried out with international law enforcement, shows how long-running underground marketplaces can industrialize phishing and emphasizes the value of sustained intelligence-led collaboration in dismantling them. 
Read more

Meet VENOM: The PhaaS Platform That Neutralizes MFA 
Abnormal researchers describe a highly targeted phishing campaign powered by the previously undocumented VENOM phishing‑as‑a‑service platform, which focuses on stealing Microsoft 365 credentials from C‑suite executives. By using QR‑code lures, adversary‑in‑the‑middle and device‑code techniques, and extensive evasion measures, the campaign bypasses MFA and quickly establishes persistent account access. 
Read more

Riding the Rails: Threat Actors Abuse Railway.com PaaS as Microsoft 365 Token Attack Infrastructure 
Huntress details a large‑scale phishing campaign in which attackers abused Railway’s PaaS infrastructure to host Microsoft 365 device‑code phishing and token replay services, allowing account takeover without stealing passwords or triggering MFA prompts. The activity, attributed to the EvilTokens phishing‑as‑a‑service platform, demonstrates how cloud PaaS providers can be rapidly weaponized to scale OAuth token theft and bypass traditional identity defenses. 
Read more

AI-Enabled & Emerging Platform Abuse

The n8n n8mare: How threat actors are misusing AI workflow automation 
Cisco Talos researchers detail how attackers are abusing the legitimate n8n automation platform to power phishing campaigns that deliver malware and fingerprint victims via exposed webhook URLs, allowing malicious activity to blend into trusted infrastructure. Observed from late 2025 through early 2026, these campaigns show how AI-enabled workflow tools can be weaponized to bypass traditional email and web security controls. 
Read more

ChatGPT Data Leakage via a Hidden Outbound Channel in the Code Execution Runtime 
Check Point Research reports a technique that abused a hidden outbound communication channel in ChatGPT’s code execution environment to exfiltrate sensitive data, even when direct network access appeared restricted. The research highlights risks in sandboxed AI runtimes and underscores the need for strict egress controls and continuous monitoring to prevent unintended data leakage in AI-assisted workflows. 
Read more

Ransomware & Defense Evasion Tooling

Qilin EDR killer infection chain 
Cisco Talos analyzes a sophisticated Qilin ransomware component that uses a malicious, sideloaded msimg32.dll to launch a multi‑stage “EDR killer” capable of disabling more than 300 EDR products across almost every major vendor. The malware employs advanced evasion, in‑memory execution, and vulnerable driver abuse to blind defensive telemetry before ransomware deployment, highlighting a shift toward directly attacking endpoint security controls.
Read more

Zero‑Day Exploitation & Rapid Weaponization 

EXPMON Detected Sophisticated Zero-Day Fingerprinting Attack Targeting Adobe Reader Users
Security researcher Haifei Li reports that the EXPMON exploit detection system uncovered a highly sophisticated malicious PDF exploiting a previously unknown Adobe Reader zero-day to steal local files and perform advanced system fingerprinting. The exploit abuses privileged Acrobat JavaScript APIs and can potentially enable follow‑on sandbox escape or remote code execution, demonstrating an active and targeted zero‑day threat against fully up‑to‑date Adobe Reader installations.
Read more

Operation TrueChaos: 0‑Day Exploitation Against Southeast Asian Government Targets 
Check Point Research uncovered a zero‑day vulnerability in the TrueConf video conferencing client (CVE‑2026‑3502) that was actively exploited to compromise Southeast Asian government networks by abusing the platform’s trusted on‑premises update mechanism. The campaign delivered post‑exploitation tooling via tampered updates and is attributed with moderate confidence to a Chinese‑nexus threat actor, highlighting the risk of supply‑chain style attacks inside supposedly air‑gapped environments. 
Read more

CVE‑2026‑3055: Citrix NetScaler ADC and NetScaler Gateway Out‑of‑Bounds Read 
Rapid7 analyzes a critical vulnerability in customer‑managed Citrix NetScaler ADC and Gateway appliances that allows unauthenticated attackers to read sensitive memory when the device is configured as a SAML identity provider. With active exploitation confirmed and a Metasploit module available, Rapid7 recommends immediate patching to prevent session token leakage and follow‑on compromise.
Read more

Marimo OSS Python Notebook RCE: From Disclosure to Exploitation in Under 10 Hours 
Sysdig documents how a critical pre‑authentication RCE flaw in the marimo open‑source Python notebook was exploited in the wild less than 10 hours after public disclosure, despite the absence of proof‑of‑concept code. The incident highlights how attackers rapidly weaponize advisory details to gain unauthenticated shell access and steal credentials, sharply narrowing defenders’ patching and response windows.
Read more

Web Application & E‑Commerce Platform Compromise 

PolyShell: unrestricted file upload in Magento and Adobe Commerce 
Sansec reveals a critical REST API flaw that allows unauthenticated attackers to upload polyglot files disguised as images to Magento and Adobe Commerce stores, enabling remote code execution or account takeover depending on server configuration. With no production patch available and widespread exposure observed, the issue highlights systemic risk in Magento deployments and the urgency of compensating controls and compromise scanning. 
Read more

Hack‑for‑Hire, Surveillance & Espionage Operations 

Beyond BITTER: MENA Civil Society Targeted in Hack‑for‑Hire Operation Linked to BITTER APT
Lookout details a long‑running hack‑for‑hire espionage campaign tied to the BITTER APT that targets journalists, activists, and civil society across the Middle East using spear‑phishing and mobile spyware rather than zero‑day exploits. The operation shows how commercial surveillance actors leverage social engineering and Android spyware to achieve persistent monitoring of high‑risk individuals. 
Read more

Critical Infrastructure & Operational Technology (OT) Attacks 

Iranian‑Affiliated Cyber Actors Exploit Programmable Logic Controllers Across U.S. Critical Infrastructure 
CISA and partner agencies warn that Iran‑aligned threat actors are actively targeting internet‑exposed PLCs—primarily Rockwell Automation/Allen‑Bradley devices—across U.S. water, energy, and government sectors, causing operational disruptions and financial losses. The advisory urges organizations to remove PLCs from direct internet exposure, hunt for indicators of compromise, and apply mitigations to reduce the risk of further OT exploitation. 
Read more

Malvertising & Ad‑Tech Abuse 

Analyzing a Live AiTM Attack Targeting Google Accounts via Malvertising 
Confiant details a malvertising campaign that delivered an adversary‑in‑the‑middle (AiTM) phishing kit through online ads, enabling attackers to intercept Google account credentials and session tokens in real time. The research shows how sophisticated ad‑based delivery and client‑side evasion techniques can be combined to bypass traditional security controls and compromise accounts without obvious indicators. 
Read more

Recommended Actions

Mitigations

• Enforce strong identity protections beyond MFA, including phishing‑resistant MFA, device binding, and strict Conditional Access policies (block device‑code auth where not required). 
• Patch internet‑facing systems immediately on disclosure, prioritizing identity, VPN, ADC, notebook, and CMS platforms; assume rapid exploitation. 
• Reduce trust in platforms by default: restrict AI workflow tools, PaaS services, and automation platforms to approved tenants and networks only. 
• Harden endpoints against EDR evasion, including blocking vulnerable drivers (BYOVD), tightening kernel protections, and monitoring for security tool tampering. 
• Remove direct internet exposure from OT/ICS devices and enforce segmentation, gateways, and allow‑listing for management traffic. 

Monitoring

• Continuously monitor identity sign‑ins for token‑based and non‑interactive logins, especially from cloud PaaS providers or atypical geolocations. 
• Track EDR health telemetry (sensor unloads, driver terminations, ETW suppression) as high‑priority alerts. 
• Monitor REST API activity on web and e‑commerce platforms for unauthenticated uploads, abnormal file creation, or executable content in media paths. 
• Log and review software update and management channels for unexpected package changes or internal server abuse. 
• For OT environments, monitor PLC‑related ports and protocols for unauthorized or external access attempts. 

Detection Tips

• Alert on successful MFA logins immediately followed by session reuse, command execution, mailbox access, or token replay activity. 
• Detect in‑memory execution, DLL sideloading, and kernel driver loading from non‑standard paths or unsigned sources. 
• Hunt for polyglot files (e.g., images containing executable code) in upload directories and CMS media locations. 
• Identify rapid attacker dwell time patterns (credential access, reconnaissance, data access within minutes of initial access). 
• Correlate user behavior anomalies (new devices registered, OAuth consent grants, device‑code use) with phishing or malvertising lures. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy

The post Threat and Security Update – April, 2026 appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s March Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 83 vulnerabilities disclosed 
  – 3 rated Critical, 2 are Zero-Day (both publicly disclosed, 0 exploited) 

• High-Severity Advisories from Major Vendors: 
  – Adobe: 80 vulnerabilities, affecting 8 products  
  – Cisco: 3 critical-severity flaws in Cisco Secure Firewall Management Center (FMC) and Cisco Catalyst SD-WAN Manager 
  – Fortinet: 2 high-severity flaws in FortiManager and FortiSwitchAXFixed  
  – Ivanti: 1 high-severity flaw in Ivanti Desktop and Server Management (DSM) 
  – SAP: 2 critical, 1 high vulnerabilities in SAP Quotation Management Insurance application (FS-QUO), SAP NetWeaver Enterprise Portal Administration, and SAP Supply Chain Management 
  – VEEAM: 6 critical-severity flaws, 4 high-severity flaws published  

• Top Threats to Watch: 
  – Iran‑linked targeting of IP cameras to support physical warfare operations and battlefield intelligence across the Middle East.  
  – Chinese‑nexus APT activity using PlugX malware and conflict‑themed lures to rapidly target organizations in Qatar and the Gulf region. 
  – Iranian MOIS and MuddyWater operations expanding espionage capabilities, including new backdoors (Dindoor, Fakeset) and Rclone‑based data exfiltration.  
  – Advanced social engineering campaigns—Teams impersonation, Quick Assist abuse, LastPass‑themed phishing, and commercial‑grade kits like Starkiller that bypass MFA. 
  – Rise in infostealer and mobile malware innovation, including theft of AI‑agent configuration files (OpenClaw) and the GenAI‑powered Android malware PromptSpy. 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices  
  – Increased exposure to vulnerabilities and compliance risks  
  – Continued support requires either: 1.) Enrolling in Microsoft’s paid ESU program, or 2.) Upgrading to Windows 11

• Upgrading Windows 11  
  Unlike traditional feature upgrades, Windows 11 25H2 is built on the same servicing branch and code base as Windows 11 24H2, making the transition simpler and lower risk.  
  
  Fortress has thoroughly tested Windows 11 25H2 and recommends upgrading all supported devices. To begin the upgrade process, contact our 24/7/365 Security Operations Team or reach out to your client experience manager.  

Windows 11 End of Support

As of November 2025, Microsoft has officially ended support for earlier versions of Windows 11 (listed below).

• Windows 11 version 21H2 (All Editions) 
• Windows 11 version 22H2 (All Editions) 
• Windows 11 version 23H2 (Home & Pro) 

We would also like to highlight several upcoming End of Support dates for the following Windows releases: 

• Windows 11 version 23H2 (Enterprise & Education) – Support ends November 10, 2026. After this date, these editions will no longer receive security updates or fixes. 
• Windows 11 version 24H2 (Home & Pro) – Support ends October 13, 2026. Devices running these editions should be upgraded before this date to remain supported and secure. 

Fortress recommends reviewing device inventories ahead of these deadlines to ensure systems are upgraded in advance and remain within a supported lifecycle. 

* Some specialized editions of Windows 11 24H2 (e.g. Long Term Support Cycle) will continue to receive extended support through 2029. However, for all other editions we recommend upgrading to Windows 11 25H2.  

Windows Server 2016 End of Support

Support for Windows Server 2016 is scheduled to end on January 12, 2027, which is now less than a year away. After this date, Microsoft will no longer provide security updates, bug fixes, or technical support for the platform. 

Organizations still running Windows Server 2016 should begin planning upgrade or migration strategies to avoid increased security risk and compliance concerns once support ends. 

Fortress recommends reviewing affected systems early to allow sufficient time for testing, upgrades, or workload migration before the end-of-support deadline. 

Need help planning your transition?

Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft March 2026 Patch Tuesday 
83 vulnerabilities disclosed, including 3 critical and 2 zero-days. By category:

• 43 Elevation of Privilege 
• 17 Remote Code Execution 
• 9 Information Disclosure 
• 4 Denial of Service 
• 4 Spoofing 
• 2 Denial of Service

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

Microsoft March 2026 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Cisco *

Cisco Security Advisories

Fortinet *

Fortinet PSIRT Advisories

Ivanti *

Ivanti March 2026 Security Update

SAP *

SAP March 2026 Security Notes

VEEAM *

VEEAM KB Notes

Google Chrome

• Version: 146.0.7680.71/72 (Windows and Mac), 146.0.7680.71 (Linux)  
• Release Date: Tuesday, March 10, 2026 

Chrome Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – March 2026

The following resources are grouped by threat type / category. 

Emerging Threats

Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East   Check Point Research observed a surge in Iranian‑linked attempts to compromise IP cameras across Israel, Gulf states, Lebanon, and Cyprus, beginning February 28, 2026. The targeting appears to support battlefield intelligence and potential missile operations, with earlier activity aligning to geopolitical flashpoints such as Iran’s temporary airspace closure.  
Read more

China‑Nexus Activity Against Qatar Observed Amid Expanding Regional Tensions   
Check Point Research observed increased activity from Chinese‑nexus APT groups targeting Qatar, including attempts by the Camaro Dragon threat actor to deploy PlugX malware within one day of the Middle East escalation. The attackers leveraged ongoing regional conflict to craft credible lures and rapidly adapt operations, highlighting China‑linked actors’ agility and expanding focus on the Gulf region. 
Read more   

Iranian MOIS Actors & the Cyber Crime Connection   
Check Point Research reports that Iranian Ministry of Intelligence and Security (MOIS)–linked groups, including Void Manticore and MuddyWater, are increasingly leveraging cybercriminal tools, services, and infrastructure to support state objectives. This convergence enhances operational capabilities, expands deniability, and blurs attribution as Iranian actors adopt ransomware branding, commercial infostealers, and criminal‑ecosystem tradecraft. 
Read more

Iran-Linked MuddyWater Deploys New Dindoor Malware Against U.S. Networks   
SOCRadar reports that Iranian APT MuddyWater (Seedworm) targeted multiple U.S. organizations—including a bank, airport, nonprofit, and a defense‑linked software firm—using a newly discovered backdoor called Dindoor. The campaign, active since early 2026, also leveraged a second backdoor (Fakeset) and attempted data exfiltration via Rclone, underscoring the group’s expanding espionage capabilities during heightened geopolitical tensions. 
Read more

Social Engineering Attacks

Criminals Impersonating City and County Officials in Phishing Emails for Planning and Zoning Permits   
The FBI warns of a phishing scheme in which criminals impersonate city and county planning and zoning officials to solicit fraudulent payments. Attackers use real permit information and professional‑looking emails to deceive victims into sending money via wire transfer, peer‑to‑peer apps, or cryptocurrency. 
Read more

New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering
BlueVoyant researchers identified a campaign where attackers impersonate IT staff on Microsoft Teams, use email bombing to create urgency, and convince victims to grant remote access through Quick Assist. Once on the device, the threat actors sideload malicious DLLs via digitally signed MSI packages to deploy the new A0Backdoor, which uses anti‑sandbox techniques and covert DNS MX‑based command‑and‑control.  
Read more

Hackers Mimic LastPass Support Emails to Steal Vault Passwords 
A new phishing campaign impersonates LastPass support by forwarding fake email threads and using display‑name spoofing to create urgency around supposed unauthorized account activity. Victims are funneled to fake login pages on domains like verify‑lastpass[.]com, where attackers harvest vault master passwords. 
Read more

Starkiller Phishing Kit   
Researchers at Abnormal uncovered Starkiller, a commercial‑grade phishing kit that proxies real login pages in real time to steal credentials and bypass MFA. By loading genuine sites through attacker‑controlled infrastructure, it captures every keystroke and authentication token while remaining nearly impossible for victims to distinguish from the real thing. 
Read more

Ransomware & Malware Deployment

Hudson Rock Identifies Real‑World Infostealer Infection Targeting OpenClaw Configurations
Hudson Rock discovered the first live case of an infostealer exfiltrating OpenClaw AI‑agent configuration files, marking a major shift from credential theft to stealing tokens, private keys, and personal AI “identity” data. The malware, likely a Vidar variant, used a broad file‑grabbing routine to sweep the victim’s .openclaw directory, capturing gateway tokens, cryptographic keys, and context files that could enable full impersonation of the user’s AI agent. 
Read more

PromptSpy Ushers in a New Era of Android Threats Using GenAI   
ESET researchers uncovered PromptSpy, the first known Android malware to abuse generative AI—specifically Google’s Gemini—to analyze on‑screen elements and guide malicious UI actions for persistence. The malware deploys a built‑in VNC module for remote access, captures lockscreen data, blocks uninstallation with invisible overlays, and primarily targets users in Argentina. 
Read more

Cloud & Infrastructure Exploits

PayPal February 2026 Data Breach Notification   
A coding error in PayPal’s Working Capital loan application exposed sensitive customer data—including names, contact details, Social Security numbers, and dates of birth—from July to December 2025. PayPal reset affected account passwords, issued refunds for unauthorized transactions, and is offering two years of complimentary Equifax credit monitoring to impacted users.  
Read more 

Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access   Salesforce warns that threat actors are exploiting misconfigured Experience Cloud guest user settings, allowing unauthorized access to CRM data through a modified AuraInspector scanning tool. The activity stems from overly permissive customer‑configured guest profiles—not a platform vulnerability—and organizations are urged to audit permissions and apply least‑privilege controls immediately. 
Read more 

Recommended Actions

Mitigations

• Enforce strong network segmentation, isolating OT, surveillance systems, and any public‑facing IoT devices. 
• Mandate firmware updates for all IP cameras and IoT appliances; disable UPnP and unnecessary remote access. 
• Harden SQL, SharePoint, VPNs, and remote‑access infrastructure—common targets for MOIS- and Chinese‑linked APT groups. 
• Require privileged access management (PAM) for all admin accounts with MFA enforced. 
• Block high‑risk file types and disable macros for Office installations organization‑wide. 
• Enforce strict egress filtering to prevent exfiltration via Rclone or unauthorized cloud apps. 
• Deploy application allowlisting on critical assets to prevent execution of tools like PlugX or Dindoor/Fakeset backdoors. 

Monitoring/Detection

Emerging Threat & APT Activity

• Track sudden login attempts from Middle East or APAC IP ranges, especially involving VPNs, O365, or identity providers. 
• Monitor IP camera and IoT behavior, including unusual outbound traffic to unknown cloud hosts or uncommon ports. 
• Alert on high‑volume ZIP/RAR creation, staging directories, or command‑line compressions commonly used during espionage operations. 
• Enable robust logging for PowerShell, WMI, LDAP queries, and movement patterns associated with MuddyWater, Void Manticore, and other Iranian/Chinese‑linked threat actors. 
• Detect PlugX, Dindoor, or Fakeset indicators such as DLL sideloading, unexpected scheduled tasks, anomalous service creation, or DNS queries with NXDOMAIN‑heavy patterns. 

Social Engineering Campaigns

• Flag email bombing campaigns targeting user inboxes, a common precursor to Teams impersonation and IT-helpdesk spoofing. 
• Monitor for unexpected Teams messages from external domains or newly created internal accounts. 
• Detect connections to typosquatted or newly registered LastPass‑themed domains, especially involving password reset attempts. 
• Identify Quick Assist sessions that were not initiated by IT and unusual MSI installation activity from temporary directories. 

Ransomware & Infostealers

• Monitor access to sensitive directories, especially:  
  – .openclaw, AI-agent configs, .json, .pem, .token files 
• Alert on high volume file reads and broad file grabbing behavior typical of Vidar or similar infostealers.  
• Detect outbound connections to:  
  – Pastebin-style data dump sites 
  – Temporary file sharing domains 
  – DNS MX–based C2 traffic (used by A0Backdoor) 

Cloud & Infrastructure Exploits

• Implement continuous monitoring of:  
  – Salesforce guest user permissions 
  – Public/guest object exposure 
  – Audit logs for unexpected API usage 
• In payment/finance systems, monitor:  
  – Bulk access to PII 
  – Scripted or automated form submissions 
  – Authentication failures followed by password resets 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy

The post Threat and Security Update – March, 2026 appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s February Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 59 vulnerabilities disclosed
  – 5 rated Critical, 6 are Zero-Day (6 actively exploited, 3 publicly disclosed)  

• High-Severity Advisories from Major Vendors: 
  – Adobe: 44 vulnerabilities patched across 9 products 
  – Cisco: 2 high-severity flaws, affecting Cisco Meeting Management, Cisco TelePresenceCollaboration Endpoint (CE) Software and Cisco RoomOS Software 
  – Fortinet: 2 high-severity flaws in FortiSandbox and FortiOS 
  – SAP: 2 critical vulnerabilities in SAP NetWeaver Application Server, SAP CRM and SAP S/4HANA 
  – Ivanti: 2 high-severity flaws in Ivanti Endpoint Manager (EPM)  

• Top Threats to Watch: 
  – State‑linked impersonation and infiltration campaigns, including DPRK operatives using stolen LinkedIn identities to gain corporate access. 
  – Multi‑stage adversary‑in‑the‑middle (AiTM) phishing & BEC operations, particularly those abusing SharePoint and session-cookie theft for lateral expansion. 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices  
  – Increased exposure to vulnerabilities and compliance risks  

• Continued support requires either:  
  – Enrolling in Microsoft’s paid ESU program, or  
  – Upgrading to Windows 11 

Need help planning your transition? 
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft February 2026 Patch Tuesday 
59 vulnerabilities disclosed, including 5 critical and 6 zero-days. By category:

• 23 Elevation of Privilege 
• 13 Remote Code Execution 
• 7 Spoofing
• 6 Information Disclosures
• 6 Security Feature Bypass
• 3 Denial of Service

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

Microsoft February 2026 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Cisco *

Cisco Security Advisories

Fortinet *

Fortinet PSIRT Advisories

Ivanti *

Ivanti February 2026 Security Update

SAP *

SAP February 2026 Security Notes

Google Chrome

• Version: 145.0.7632.75/76 (Windows and Mac), 145.0.7632.75 (Linux) 
• Release Date: Friday, February 13, 2026 
• Key Fixes: High CVE-2026-2441 currently exploited in the wild.   

Chrome Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – February 2026

The following resources are grouped by threat type / category. 

Emerging Threats

DPRK Operatives Impersonate Professionals on LinkedIn to Infiltrate Companies 
North Korean IT workers are using stolen or impersonated LinkedIn profiles—with verified workplace emails and identity badges—to fraudulently secure remote jobs in Western organizations. Their objectives include generating revenue for the DPRK regime and conducting espionage by gaining access to sensitive corporate systems. 
Read more →  

Resurgence of a Multi‑Stage AiTM Phishing and BEC Campaign Abusing SharePoint 
Microsoft researchers uncovered a multi‑stage adversary‑in‑the‑middle (AiTM) phishing and business email compromise campaign targeting organizations in the energy sector, leveraging SharePoint file‑sharing services to deliver phishing payloads. The attackers used compromised trusted identities, inbox‑rule manipulation, and stolen session cookies to silently expand access across multiple organizations. 
Read more →  

LastPass Warns of Fake Maintenance Messages Targeting Users’ Master Passwords 
LastPass is alerting users to an active phishing campaign impersonating the service, sending emails that falsely claim urgent maintenance and instruct users to back up their vaults within 24 hours. These messages redirect victims to a phishing site designed to steal master passwords, though LastPass confirms it never asks for master passwords and is working to dismantle the malicious infrastructure. 
Read more →  

Convincing LinkedIn Comment‑Reply Tactic Used in New Phishing Campaign 
Scammers are flooding LinkedIn posts with fake “reply” comments impersonating the platform, warning users of bogus policy violations and urging them to visit phishing links that often misuse LinkedIn’s own lnkd.in URL shortener. These deceptive replies mimic LinkedIn branding and can redirect victims through multiple malicious domains designed to harvest credentials. 
Read more →  

Ransomware & Malware Deployment

Fake 7‑Zip Downloads Are Turning Home PCs into Proxy Nodes 
A lookalike 7‑Zip website is distributing a trojanized installer that secretly converts victims’ computers into residential proxy nodes, hiding behind a functional copy of the legitimate 7‑Zip program. The malware silently drops additional components (Uphero.exe, hero.exe, hero.dll) and abuses trusted channels—such as YouTube tutorials referencing the wrong download domain—to funnel users toward the malicious site. Read more →  

Reynolds: Defense Evasion Capability Embedded in Ransomware Payload 
A recent Reynolds ransomware campaign stood out because the payload included a bring‑your‑own‑vulnerable‑driver (BYOVD) componentdirectly inside the ransomware itself, rather than as a separate pre‑deployment tool. The bundled vulnerable NsecSoft NSecKrnl driver enables the ransomware to kill security processes, representing an unusual but increasingly common technique for defense impairment. 
Read more →  

Malicious Use of Virtual Machine Infrastructure 
Sophos researchers uncovered that bulletproof hosting providers are abusing legitimate ISPsystem virtualization infrastructure to mass‑deploy Windows virtual machines with identical autogenerated hostnames, many of which are later used in ransomware operations and other cybercriminal activity. These templated VMs have been linked to incidents involving LockBit, Qilin, BlackCat/ALPHV, NetSupportRAT, and previously exposed Conti/TrickBot operators, illustrating how large‑scale image reuse creates cover for threat actors. Read more →  

VoidLink: The Cloud‑Native Malware Framework 
Check Point Research uncovered VoidLink, a highly modular cloud‑native Linux malware framework composed of custom loaders, implants, rootkits, and more than 30 plugin modules designed for long‑term, stealthy persistence in modern cloud and container environments. Written in Zig, VoidLink can detect major cloud platforms and container runtimes, harvest cloud and Git credentials, and uses extensive OPSEC features such as runtime code encryption, self‑deletion, and adaptive behavior to evade detection. Read more →  

Cloud & Infrastructure Exploits

Notepad++ Infrastructure Hijacked in State‑Linked Supply Chain Attack 
Notepad++ suffered an infrastructure‑level compromise in which attackers hijacked update traffic and selectively redirected targeted users to malicious update servers, enabling delivery of a custom backdoor called *Chrysalis*. The attack did not exploit Notepad++ code but stemmed from a compromised shared hosting provider, with evidence suggesting a likely state‑sponsored threat actor. 
Read more →  

Silent Push Uncovers New Magecart Network Targeting Global Payment Providers 
Silent Push researchers discovered a long‑running web‑skimming (Magecart) campaign active since at least early 2022, involving a vast network of malicious domains injecting obfuscated JavaScript into compromised e‑commerce sites. The campaign targets major payment networks—including American Express, Diners Club, Discover, JCB, Mastercard, and UnionPay—stealing customer credit card data during checkout via fake payment forms. 
Read more →  

AI-Driven Threats

Silent Brothers: Ollama Hosts Form Anonymous AI Network Beyond Platform Guardrails 
SentinelOne and Censys uncovered an unmanaged, publicly accessible ecosystem of more than 175,000 exposed Ollama AI hosts across 130 countries, forming a shadow AI compute layer that operates outside standard monitoring and governance boundaries. Nearly half of these hosts are configured with tool‑calling capabilities—allowing code execution, API access, and system interaction—creating significant security risks as attackers can exploit them for automation, malware deployment, or large‑scale abuse. 
Read more →  

KONNI Targets Developers With AI‑Generated PowerShell Malware 
Check Point Research uncovered a North Korea–aligned KONNI phishing campaign targeting software developers and engineering teams across Japan, Australia, and India using AI‑generated PowerShell backdoors. The lures mimic legitimate blockchain‑related project documentation, signaling an effort to compromise development environments and access sensitive infrastructure, API keys, and cryptocurrency assets. 
Read more →  

VoidLink: Early Evidence of Advanced AI‑Generated Malware 
Check Point Research identified VoidLink as one of the first fully documented cases of advanced malware predominantly created through AI‑driven development, reaching a functional 88,000‑line implant in under a week. Operational security leaks exposed development artifacts—including sprint plans, specification documents, and source code—revealing that the framework was planned and built using Spec‑Driven Development, with AI generating architecture, modules, and documentation at a pace previously seen only in well‑resourced threat groups. 
Read more →  

Recommended Actions

Mitigations

• Prioritize February Patch Tuesday updates across Windows, Office, and third‑party platforms (Adobe, Cisco, Fortinet, SAP, Ivanti). Ensure high‑severity vulnerabilities—especially the 6 Windows zero‑days—are patched immediately. 
• Block and monitor impersonation risks by enforcing strong identity verification, MFA, and continuous monitoring for anomalous login patterns or new devices. 
• Harden cloud and virtualization infrastructure against threats like VoidLink, ISPsystem VM abuse, and cloud‑native malware by enforcing least privilege, reviewing API keys, and monitoring for unauthorized container or VM deployments. 
• Secure endpoints and browsers by restricting access to unverified download sites to prevent malware like fake 7‑Zip installers. 

Monitoring

• Monitor identity platforms and email systems for indicators of AiTM activity, MFA bypass attempts, session‑cookie theft, and inbox rule manipulation. 
• Watch for signs of compromised developer environments, including suspicious PowerShell execution, anomalous Git activity, or unauthorized cloud resource creation. 
• Track network indicators tied to large botnets or proxy-node malware, such as unexplained outbound connections or VM instances with identical hostnames. 
• Increase telemetry collection in cloud environments, focusing on unknown containers, unusual API calls, or disabled logging. 

Detection Tips

• Look for MFA push fatigue patterns, unexpected MFA approvals, or sessions authenticated without corresponding MFA prompts. 
• Flag AI‑generated PowerShell scripts or obfuscated command-line behavior linked to KONNI or AI‑assisted malware families. 
• Detect anomalous SharePoint activity, including mass file sharing, newly created sharing links, or impersonated identities distributing files. 
• Scan for BYOVD techniques, particularly attempts to load vulnerable kernel drivers such as NsecSoft NSecKrnl in ransomware deployment. 
• Monitor web traffic for Magecart-like patterns, such as injected JavaScript, unauthorized payment form changes, or repeated contact with suspicious domains. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy → 

The post Threat and Security Update – February, 2026 appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s January Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 112 vulnerabilities disclosed
  – 8 rated Critical, 3 are Zero-Day (1 actively exploited)  

• High-Severity Advisories from Major Vendors: 
  – Adobe: 17 critical vulnerabilities patched across 11 products 
  – Fortinet: 1 high-severity flaws in FortiOS and FortiSwitchManager 
  – SAP: 4 critical vulnerabilities in SAP Landscape Transformation, SAP S/4HANA, and SAP Wily Introscope Enterprise Manager 
  – n8n: Fixed critical vulnerability affecting versions 1.65–1.120.4 
  – React Server: Disclosed critical RCE vulnerability in React Server Components 
  – Veeam: Disclosed multiple critical vulnerabilities affecting Veeam Backup & Replication v 13.0.1.180 and earlier   

• Top Threats to Watch: 
  – AI‑Powered Social Engineering & Identity Attacks – Attackers are abusing OAuth device-code authorization flows, QR‑code “Quishing,” and LinkedIn comment‑reply impersonation to bypass MFA and steal credentials at scale. 
  – Supply‑Chain & Developer Ecosystem Compromises – Major compromises include the Office Assistant supply‑chain attack, malicious VS Code/OpenVSX extensions (GlassWorm), and breach of Target developer systems—highlighting continued targeting of dev environments and CI/CD ecosystems. 
  – AI‑Driven Malware & Botnet Expansion – GoBruteforcer campaigns leverage AI‑generated default credentials and weak configurations to compromise 50,000+ servers, especially crypto and blockchain environments. 
  – Malicious Browser Extensions Harvesting AI Chats & Corporate Data – Two Chrome extensions with 900k+ installs stole ChatGPT/DeepSeek conversations and corporate browsing data, demonstrating large‑scale exfiltration from trusted browser ecosystems. 
  – Critical RCE Vulnerabilities Actively Exploited in the Wild – Active exploitation of WatchGuard Firebox (CVE‑2025‑14733), Fortinet FG‑IR‑19‑283, React Server Components (CVSS 10.0), Veeam Backup & Replication, and n8n workflow vulnerabilities poses severe risk for remote code execution, config theft, and full system compromise. 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. This month’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices  
  – Increased exposure to vulnerabilities and compliance risks  

• Continued support requires either:  
  – Enrolling in Microsoft’s paid ESU program, or  
  – Upgrading to Windows 11 

Need help planning your transition? 
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft January 2026 Patch Tuesday 
112 vulnerabilities disclosed, including 8 critical and 3 zero-days. By category:

• 57 Elevation of Privilege 
• 22 Remote Code Execution 
• 22 Information Disclosure 
• 5 Spoofing 
• 3 Tampering 
• 3 Security Feature Bypass 
• 2 Denial of Service 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

Microsoft January 2026 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Fortinet *

Fortinet PSIRT Advisories

SAP *

SAP January 2026 Security Notes

Google Chrome

• Version: 144.0.7559.59/60 (Windows and Mac), 144.0.7559.59 (Linux) 
• Release Date: Tuesday, January 13, 2026 
• Key Fixes: High CVE-2026-0899, High CVE-2026-0900 and High CVE-2026-0901 

Chrome Release Notes

Mozilla Firefox

• Version: Firefox 147 
• Release Date: Tuesday, January 13, 2026 
• Key Fixes: High CVE-2026-0877/78/79/80/81/82 

Mozilla Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – January 2026

The following resources are grouped by threat type / category. 

Emerging Threats

SOCRadar Annual Dark Web Report 2025  
SOCRadar’s 2025 Annual Dark Web Report highlights a data‑driven overview of underground cybercrime, showing that data leaks dominate dark web activity, with database‑related threats making up 64.06% of observed incidents and selling posts 59.32%. The United States remains the top target, responsible for 19.91% of dark‑web mentions and over 41% of ransomware attacks, while Public Administration emerges as the most exposed sector at 12.85%. 
Read more → 

Silent Push Uncovers Long‑Running Magecart Skimming Campaign  
Security researchers discovered a sophisticated Magecart web‑skimming network that has been active since at least 2022, targeting major payment cards including American Express, Discover, Mastercard, JCB, UnionPay, and others. 
Read more →

Target’s Dev Server Taken Offline After Hackers Claim Theft of Internal Source Code 
Hackers published samples of what they claim is stolen internal Target source code on a public Gitea instance, advertising a much larger 860GB dataset for sale and referencing internal systems, developer metadata, and private repositories. 
Read more →

Trust Wallet Confirms Extension Hack Led to $7 Million Crypto Theft 
Trust Wallet confirmed that a malicious Chrome extension update (version 2.68) published on December 24 allowed attackers to exfiltrate sensitive wallet data, resulting in approximately $7 million in stolen cryptocurrency. 
Read more →

Senior U.S. Officials Impersonated in Malicious Smishing & Vishing Campaign 
An IC3 Public Service Announcement warns that since at least 2023, threat actors have been impersonating senior U.S. government officials through smishing (SMS phishing) and AI‑generated vishing calls to build rapport with victims before moving conversations to encrypted apps. 
Read more →

Ransomware & Malware Deployment

Office Assistant Supply Chain Attack Delivers Malicious Plugin  
Security researchers uncovered a long‑running supply‑chain attack in which the popular Chinese AI‑powered Office Assistant application (version 3.1.10.1) secretly loaded a malicious downloader component that contacted C2 domains, retrieved multi‑stage payloads, and ultimately deployed the Mltab malicious browser plugin.
Read more →

GlassWorm Goes Mac: Fresh Infrastructure, New Tricks  
A new GlassWorm wave marks a major pivot from Windows to macOS, distributing malicious VS Code/OpenVSX extensions that use AES‑256‑CBC–encrypted JavaScript payloads instead of earlier invisible Unicode or Rust‑based techniques.
Read more →

MacSync Stealer Evolves into Code‑Signed Swift Malware 
Security researchers discovered a new MacSync Stealer variant delivered as a code‑signed and notarized Swift application inside a disk image, allowing it to bypass Gatekeeper and avoid traditional execution‑chain indicators. 
Read more →

GachiLoader: Obfuscated Node.js Loader Spread via YouTube Ghost Network 
Check Point Research identified GachiLoader, a heavily obfuscated Node.js‑based loader distributed through compromised YouTube accounts promoting fake game cheats and cracked software. 
Read more → 

Social Engineering Exploits

Convincing LinkedIn Comment‑Reply Tactic Used in New Phishing Campaign   
A new phishing campaign is flooding LinkedIn posts with fake “reply” comments impersonating LinkedIn, falsely claiming policy violations and urging users to click external links masked with lnkd.in shorteners for added credibility. 
Read more → 

GRU‑Linked BlueDelta Evolves Credential‑Harvesting Tactics 
Russia‑linked BlueDelta (APT28) expanded its credential‑harvesting campaigns throughout February–September 2025, targeting Turkish energy and nuclear researchers, a European think tank, and organizations in North Macedonia and Uzbekistan. The group used highly tailored lures, spoofed Microsoft OWA, Google, and Sophos VPN login pages. 
Read more → 

North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing (Quishing) Campaigns 
A new FBI Cybersecurity Advisory warns that North Korean Kimsuky actors are increasingly using malicious QR codes (“Quishing”) in highly targeted spearphishing campaigns against U.S. think tanks, NGOs, academia, and government‑linked entities. 
Read more → 

DocuSign Impersonation Wave Leveraging Real‑Time LogoKit Customization 
Security researchers  identified a growing wave of DocuSign impersonation attacks in which phishing emails mimic authentic DocuSign notifications, spoof sender domains, and address recipients by their login name to increase credibility. 
Read more → 

Access Granted: Phishing With Device Code Authorization Enables Stealthy M365 Account Takeovers 
Proofpoint researchers warn that multiple threat clusters—both financially motivated and state‑aligned—are now abusing Microsoft’s OAuth 2.0 device code authorization flow to trick users into granting attackers access to their Microsoft 365 accounts. 
Read more → 

AI-Driven Threats

Inside GoBruteforcer: AI‑Generated Server Defaults, Weak Passwords, and Crypto‑Focused Campaigns 
Check Point Research analyzed an evolved GoBruteforcer botnet variant that exploits AI‑generated server deployment examples and legacy stacks like XAMPP, which frequently include predictable default usernames and weak passwords, leaving over 50,000 internet‑facing servers vulnerable. 
Read more → 

LLMs & Ransomware: An Operational Accelerator, Not a Revolution 
SentinelOne researchers conclude that large language models (LLMs) are accelerating ransomware operations—improving speed, scalability, multilingual phishing, tooling generation, data triage, and negotiation—without fundamentally transforming attacker tactics. 
Read more → 

Chrome Extensions Impersonate AI Tools to Steal ChatGPT & DeepSeek Chats 
Security researchers report that two malicious Chrome extensions—Chat GPT for Chrome with GPT‑5, Claude Sonnet & DeepSeek AI and AI Sidebar with Deepseek, ChatGPT, Claude and more—accumulated over 900,000 installs while secretly exfiltrating full ChatGPT and DeepSeek conversation data and users’ browsing activity. 
Read more → 

Vulnerabilities Actively Exploited

Security Advisory: Vulnerability in n8n Versions 1.65–1.120.4 
n8n disclosed a critical security vulnerability affecting versions 1.65–1.120.4, specifically in workflows using a Form Submission trigger with file upload and a Form Ending node returning binary data. 
Read more → 

Vulnerabilities Resolved in Veeam Backup & Replication 13.0.1.1071 (KB4792) 
Veeam’s KB4792 advisory discloses multiple vulnerabilities affecting Veeam Backup & Replication 13.0.1.180 and all earlier v13 builds, all of which were fixed in version 13.0.1.1071. 
Read more → 

Critical Security Vulnerability in React Server Components (RSC) 
React disclosed CVE‑2025‑55182, a critical unauthenticated remote code execution (RCE) vulnerability (CVSS 10.0) affecting React Server Components, caused by unsafe deserialization of payloads sent to React Server Function endpoints. 
Read more → 

WatchGuard Firebox iked Out‑of‑Bounds Write Vulnerability (WGSA‑2025‑00027) 
WatchGuard disclosed WGSA‑2025‑00027, a critical Out‑of‑Bounds Write vulnerability (CVE‑2025‑14733) in the Fireware OS ikedprocess, allowing remote unauthenticated RCE on Firebox appliances. 
Read more → 

Product Security Advisory & Analysis: Observed Abuse of FG‑IR‑19‑283 (CVE‑2020‑12812) 
Fortinet has confirmed active, in‑the‑wild exploitation of the long‑patched FortiGate authentication bypass vulnerability FG‑IR‑19‑283 / CVE‑2020‑12812, originally disclosed in July 2020. 
Read more → 

Recommended Actions

Mitigations

• Patch all affected systems immediately, prioritizing critical vulnerabilities in Microsoft Patch Tuesday (8 Critical, 3 Zero‑Days), Adobe products, SAP, Fortinet, and WatchGuard Fireware OS (CVE‑2025‑14733) to prevent remote code execution and active exploitation attempts. 
• Upgrade or retire Windows 10 endpoints (end‑of‑support October 14, 2025) or enroll devices in Microsoft’s ESU program to maintain patch coverage. 
• Harden identity infrastructure by enforcing MFA everywhere, disabling vulnerable LDAP/2FA configurations in FortiGate devices, and reviewing OAuth app permissions to defend against device‑code phishing abuses (per Proofpoint research). 
• Remove malicious or suspicious browser extensions, especially AI‑related Chrome add-ons impersonating legitimate tools, and enforce extension allowlisting enterprise‑wide to prevent “prompt‑poaching” attacks. 
• Apply security updates for n8n workflows, upgrading to version 1.121.0+ to fix the file‑access vulnerability in Form Submission workflows. 
• Update React applications and frameworks (Next.js, Parcel/Vite RSC plugins) to patched versions addressing the CVE‑2025‑55182 RCE deserialization flaw. 
• Ensure Veeam Backup & Replication is updated to version 13.0.1.1071 to close RCE paths exploitable by Backup/Tape Operators or Backup Admins. 
• Harden exposed servers and databases by eliminating default/AI‑generated weak credentials to reduce susceptibility to GoBruteforcer botnet campaigns. 

Monitoring

• Monitor identity platforms (Azure AD/M365) for unusual OAuth device‑code authorizations, unexpected app consents, anomalous MFA‑less logins, and session‑token reuse attempts. 
• Watch for VPN and firewall anomalies, including FortiGate login attempts using case‑variant usernames (e.g., Jsmith vs jsmith) and WatchGuard Firebox connections to any published Indicators of Attack (IOAs). 
• Enable alerting for Chrome/Edge extension installations, especially AI sidebar/chat extensions, and track outbound connections to known attacker C2 domains associated with data‑exfiltrating browser extensions. 
• Monitor for signs of n8n exploitation, such as unexpected file reads, unauthorized workflow executions, or abnormal file‑handling behavior in Form Submission workflows. 
• Continuously monitor internet‑facing services (FTP/MySQL/PostgreSQL/phpMyAdmin) for brute‑force attempts, high‑volume authentication failures, and scanning activity consistent with GoBruteforcer botnet behavior. 

Detection Tips

• Look for RCE exploitation attempts targeting WatchGuard Firebox (CVE‑2025‑14733), including unexpected outbound connections to attacker IPs, exfiltration of config files, or rapid creation of gzip archives containing credentials. 
• Detect device‑code phishing chains by flagging user activity involving login.microsoft.com/devicelogin with suspicious timing, unexpected device codes, or unknown applications requesting access tokens. 
• Identify malicious browser extensions by scanning for extensions communicating with domains such as deepaichats[.]com, chatsaigpt[.]com, or suspicious Lovable‑hosted infrastructure used in AI‑chat exfiltration campaigns. 
• Check for indicators of GoBruteforcer infection, including newly dropped web shells, outbound IRC beaconing, high‑frequency scanning of public IP space, or processes using default/AI‑generated usernames (e.g., myuser, appuser). 
• Hunt for React Server Component exploitation by reviewing server logs for malformed RSC payloads, unexpected POST requests to RSC/Server Function endpoints, or errors related to deserialization. 
• Inspect n8n logs for anomalous access patterns, especially unauthorized POST requests to Form Submission endpoints that include unexpected file‑handling fields. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy → 

The post Threat and Security Update – January, 2026 appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s December Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 57 vulnerabilities disclosed 
  – 3 rated Critical, 3 are Zero-Day (1 actively exploited) 

• Adobe Security Updates: 
  – 139 vulnerabilities patched across 5 products 
  – 14 rated Critical, affecting Creative Cloud Desktop Application, Acrobat and Reader, DNG Software Development Kit (SDK), Experience Manager, and ColdFusion

• High-Severity Advisories from Major Vendors: 
  – Cisco: 1 critical-severity flaws in React and Next.js Frameworks 
  – Fortinet: 1 critical and 1 high-severity flaws in FortiOS, FortiWeb, FortiProxy, FortiSwitchManager, and FortiSandbox 
  – Ivanti: 1 critical and 3 high-severity flaws in Ivanti Endpoint Manager (EPM) 
  – SAP: 3 critical vulnerabilities in SAP Solution Manager, SAP Commerce Cloud, and SAP jConnect 
  – Google: Fixed 3 security issues, one that is being actively exploited 
  – Android: Fixed 2 actively exploited zero-days  

• Top Threats to Watch: 
  – Fortinet SSO Auth Bypass – Critical flaws allow attackers to bypass FortiCloud authentication. 
  – APT Collaboration – Gamaredon (Russia) and Lazarus (North Korea) sharing infrastructure. 
  – Insider Breach at CrowdStrike – Employee leaked internal screenshots to hackers. 
  – GlassWorm Malware – Self-propagating worm hiding malicious code in VS Code extensions. 
  – Storm-0249 Ransomware Tactics – Abuse of EDR software for stealthy persistence. 
  – Massive Phishing Campaign – 4,300+ domains targeting hotel guests and vacation planners. 
  – AI-Orchestrated Espionage – Claude AI exploited for autonomous cyber operations. 
  – FBI/CISA Alerts – Account takeover fraud, virtual kidnapping scams, and pro-Russia hacktivist attacks on critical infrastructure. 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. This month’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices  
  – Increased exposure to vulnerabilities and compliance risks  

• Continued support requires either:  
  – Enrolling in Microsoft’s paid ESU program, or  
  – Upgrading to Windows 11 

Need help planning your transition? 
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft December 2025 Patch Tuesday 
57 vulnerabilities disclosed, including 3 critical and 3 zero-days. By impact category:

• 28 Elevation of Privilege 
• 19 Remote Code Execution 
• 4 Information Disclosure 
• 3 Denial of Service  
• 3 Spoofing 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

Microsoft December 2025 Security Update Release 

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Cisco *

Cisco Security Advisories

Fortinet *

Fortinet PSIRT Advisories

Ivanti *

Ivanti December 2025 Security Update

SAP *

SAP December 2025 Security Notes

Android

• Release Date: Friday, December 5, 2025  
• Key Fixes: 2 actively exploited zero-days, CVE-2025-48633 and CVE-2025-48572 involving information disclosure and elevation of privilege. 

Android Security Bulletin 

Google Chrome

• Version: 143.0.7499.109/.110 (Windows and Mac), 143.0.7499.109 (Linux) 
• Release Date: Wednesday, December 10, 2025 
• Key Fixes: CVE-2025-14372, CVE-2025-14373, and 1 high severity actively exploited not currently classified. 

Chrome Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – December 2025

The following resources are grouped by threat type / category. 

Emerging Threats

Fortinet warns of critical FortiCloud SSO login auth bypass flaws  
Fortinet has released security updates to address two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that could allow attackers to bypass FortiCloud SSO authentication. Read more →   

Alliances of convenience: How APTs are beginning to work together 
New evidence uncovered suggests that two of the world’s most aggressive advanced persistent threat (APT) actors, Russia-aligned Gamaredon and North Korea’s Lazarus, may be operating on shared infrastructure. Read more →  

CrowdStrike Catches Insider Feeding Information to Hackers 
American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors. Read more →  

Ransomware & Malware Deployment

GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace 
GlassWorm malware targeting VS Code extensions on OpenVSX marketplace, using invisible Unicode characters that hides malicious intent in code editors. Read more →  

Storm-0249 Hijacks EDR Software for Ransomware Staging  
Financially motivated initial access broker (IAB) @Storm-0249 has shifted from using broad phishing to stealthier methods of initial access and establishing persistence. To achieve this, the IAB abused trusted endpoint detection and response (EDR) processes. Read more →  

Social Engineering Exploits

Thousands of Domains Target Hotel Guests in Massive Phishing Campaign  
A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year. Read more →  

AI-Driven Threats

Claude AI Abused in AI-orchestrated Cyber Espionage Campaign 
This campaign demonstrated unprecedented integration and autonomy of AI throughout the attack lifecycle, with the threat actor manipulating Claude Code to support reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations largely autonomously. Read more →   

FBI/CISA Advisories

Account Takeover Fraud via Impersonation of Financial Institution Support 
The FBI warns of cyber criminals impersonating financial institutions to steal money or information in Account Takeover (ATO) fraud schemes. Read more →  

Criminals Using Altered Proof-of-Life Media to Extort Victims in Virtual Kidnapping for Ransom Scams 
The FBI warns the public about criminals altering photos found on social media or other publicly available sites to use as fake proof of life photos in virtual kidnapping for ransom scams. Read more →   

Title Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure 
The FBI, CISA, NSA, and partners release a joint advisory on Russian hacktivists targeting critical infrastructure with less sophisticated, lower impact attacks via VNC connections. Read more →  

Recommended Actions

Mitigations

• Apply Microsoft December Patch Tuesday updates immediately, prioritizing critical and zero-day vulnerabilities. 
• Patch Adobe, Cisco, Fortinet, Ivanti, and SAP products to address critical flaws and prevent exploitation. 
• Upgrade or enroll in Extended Security Updates (ESU) for Windows 10 devices to maintain compliance and reduce risk. 
• Implement least privilege access and enforce MFA to reduce insider threat impact. 
• Harden EDR configurations and validate integrity to prevent abuse by ransomware actors. 

Monitoring

• Monitor for FortiCloud SSO authentication bypass attempts and unusual login patterns. 
• Track APT-related infrastructure indicators (Gamaredon, Lazarus) and insider activity anomalies. 
• Watch for GlassWorm indicators in VS Code extensions and OpenVSX marketplace downloads. 
• Monitor DNS and web traffic for phishing domains targeting travel/hospitality. 
• Observe AI-related activity for signs of automated reconnaissance or exploitation. 

Detection Tips

• Deploy rules to detect Unicode-based obfuscation in code repositories (GlassWorm). 
• Alert on unexpected EDR process manipulation or persistence techniques (Storm-0249). 
• Flag large-scale domain registrations and suspicious email campaigns linked to phishing. 
• Detect anomalous API calls or privilege escalations in Fortinet, Ivanti, and SAP environments. 
• Use behavioral analytics to identify AI-driven attack patterns and insider data exfiltration. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy → 

The post Threat and Security Update – December, 2025 appeared first on Fortress SRM.

Written by: Donovan Crowley, Fortress SRM Director of Security Strategy

Cloud environments aren’t just that “data center in the sky” anymore. They have become the backbone of modern enterprise IT. And with hybrid and multi-cloud setups becoming the norm, Microsoft Azure is often at the center, powering it all. 

But here’s the catch: with great flexibility comes great complexity… and where there’s complexity, there’s risk. 

Azure’s power lies in its configurability, but that same flexibility makes misconfigurations easy to create and hard to spot. In fact, misconfigurations remain one of the leading causes of cloud breaches today, far more common than flashy exploits or headline-grabbing vulnerabilities. 

Across our assessments and incident response cases, we see the same pattern: a small configuration slip, seemingly harmless, quietly escalates into serious exposure. And often, it happens without generating a single alert. 

Some of the most overlooked risks we see again and again include: 

• Overly permissive access rules that expose private workloads. 
• Local or legacy accounts bypassing MFA or Conditional Access. 
• Dormant identities and unused resources creating governance blind spots. 
• Misconfigured or missing logs that hinder threat detection. 
• Persistent admin privileges without PIM or just-in-time controls. 

Alone, these issues might not look like much. But in a fast-moving cloud environment, they stack up. And attackers love that hidden surface, auditors find it fast, and defenders usually spot it too late. 

In this post, we’ll break down the top five Azure misconfigurations we see in the wild, why even experienced teams miss them, and how a focused Cloud Security Posture Management (CSPM) assessment can help you fix them quickly. 

Top 5 Azure Misconfigurations Putting You At Risk

Azure makes it easy to move fast. You can deploy an entire workload in minutes, integrate it, and scale instantly. But that speed also means you can misconfigure it just as quickly. 

Cloud environments never sit still. New resources spin up, identity assignments change, and hidden dependencies. As a result, the same core misconfigurations show up in almost every assessment we run, whether the organization is a small startup or a Fortune 100 enterprise. 

Here are the top five issues you cannot afford to ignore.  

1. NSGs and RBAC Gone Wild: The Danger of Overly Permissive Permissions

Too much access + too many privileges = your biggest Azure attack surface.  

What to Watch For (Common Symptoms)

• Open inbound Network Security Group (NSG) rules that allow traffic from 0.0.0.0/0, especially for RDP (port 3389) and SSH (port 22). 
• Excessive RBAC role assignments, where users or groups are given broad roles (e.g., Owner or Contributor) where specific, granular functional roles should be used (e.g., Reader, Virtual Machine Contributor, etc.). 
• “Temporary” or convenience-driven configuration access that never gets removed.

Why It Matters

Exposed ports are top targets for brute-force and credential-stuffing attacks. Overprivileged accounts turn a minor breach into a major one. Regulatory frameworks like CIS, ISO, and NIST flag this as high-right.  

What to Check Right Now

1.) Do any NSGs allow unrestricted inbound access? 
2.) Do you have more than a handful of Owner/Contributor assignments? 
3.) Are administrative ports directly exposed to the internet? 

Recommended Fixes

NSG Hardening 

• Restrict inbound access to known IP ranges only. Use IP whitelisting for administrative protocols.
• Remove public exposure entirely where possible and use Azure Bastion for secure admin access. 
• Use Azure site-to-site or point-to-point VPN to your work site or static remote sites instead of public access for resource management. 
• Enforce network hygiene and compliance with Azure Policy, including: 
  – Deny Public Inbound Ports 
  – Deny Internet Facing NSG Rules 

RBAC Hardening 

• Adopt a least-privilege roles only model.
• Favor granular roles such as: 
  – Virtual Machine Contributor 
  – Storage Blob Data Reader 
  – Key Vault Reader 
• Audit role assignments for overprivilege regularly. Example:
  az role assignment list --all --query "[?
roleDefinitionName=='Owner'].[principalName,scope]"
• Schedule recurring RBAC and NSG reviews with resource owners and identity teams.

Pro Tip: Automate the Safety Net 

To scale risk detection and remediation: 

• Use Azure Defender for Cloud and your SIEM to alert on risky NSG or RBAC configurations. 
• Enable Just-in-Time VM Access via Defender to reduce inbound port exposure during operational windows. 

2. Local Admin Accounts That Won’t Quit: The Risk of Skipping Entra ID (Azure AD) Authentication 

Local accounts are like leftover sushi: they might look fine, but they’re a hazard.  

What to Watch For (Common Symptoms) 

• VMs or workloads accessed via local admin accounts, often shared informally among teams. 
• Applications or automation authenticate with static credentials embedded in code or stored insecurely. 
• Service accounts operating without lifecycle control, MFA, or logging. 

These shortcuts may speed things up, but they bypass every layer of modern identity security. 

Why It Matters

Attackers love static secrets, and local accounts bypass modern identity controls. Entra ID bypass = no MFA, no audit trail, and a giant gap in zero-trust.  

What to Check Right Now

1.) Are any VMs or workloads still using local admin accounts? 
2.) Do any apps or scripts rely on embedded secrets? 
3.) Are service accounts operating without logging or lifecycle management? 

Recommended Fixes

Enforce Entra ID Authentication First: 

• Enable Azure AD login for all VMs to centralize authentication and logging. 
• For Windows VMs, use Azure AD joined or Hybrid Join with AADLoginForWindows VM extension. 

Replace Secrets with Managed Identities: 

• Use System-assigned or User-assigned Managed Identities for Azure resources to access other services securely. 
• Eliminate secrets stored in code, environment variables, or key vaults. 

Secure Administrative Access  

• Disable direct local admin access wherever possible. 
• Leverage Azure Bastion or Just-in-Time (JIT) VM Access for secure admin connections. 
• Enforce session expiry, logging, and MFA via Privileged Identity Management (PIM) or conditional access. 

Audit and Cleanup Local Admin Accounts: 

• Inventory all local admin accounts across VM fleets. Use PowerShell or CLI to enumerate accounts:
  Get-LocalGroupMember -Group "Administrators"
• Regularly rotate or remove local accounts not tied to valid operational workflows. 
• Schedule recurring reviews to prevent “set-and-forget” accounts.  

Pro Tip: Continuous Detection 

• Use tools like Microsoft Defender for Cloud and Microsoft Entra ID Identity Protection for continuous detection of anomalous sign-in behavior. 
• Focus on accounts that haven’t yet been migrated to Entra ID.  

3. Stale Resources and Identity Sprawl: Why Azure Cleanup Can’t Wait

Old VMs, unused accounts, orphaned disks… clutter isn’t just messy, it’s also super risky.  

What to Watch For (Common Symptoms) 

• Dormant service principals, legacy user accounts, or invalid Entra ID credentials left active. 
• Stopped or orphaned VMs, unattached disks, and retired resource groups still incurring cost or creating risk. 
• Resource sprawl caused by ad hoc deployments without naming standards, tagging, or lifecycle policies. 

Even well-managed environments accumulate this kind of “cloud waste” and unmanaged sprawl without guardrails. Not only does this create hidden risk, but it also makes audits, costs analysis, and compliance much harder than they need to be.  

Why It Matters

Dormant assets = unmonitored attack surface. Plus, they inflate costs and complicate audits.  

What to Check Right Now

1.) Any identities or service principals not used in 90+ days? 
2.) Stopped or deallocated VMs, unattached disks, or idle load balancers? 
3.) Resources missing tags or lifecycle policies? 

Recommended Fixes 

Audit Entra ID Objects: 

• Scan Entra ID users, groups, and service principals for inactivity:
  (MSOL module deprecated in April): Get-
EntraInactiveSignInUser -LastSignInBeforeDaysAgo 90 -All
• Remove or disable any identities not used in the past 90 days. 
• Rotate shared or service account credentials regularly. 

Identify Stale Azure Resources: 

• Use Azure Advisor and Cost Management to detect unused resources. 
• Enable Azure Resource Graph Explorer to query at scale across subscriptions: 
  resources
| where type == 'microsoft.compute/virtualmachines'
| extend powerState = tostring(properties.extended.instanceView.powerState.displayStatus) 
| where powerState == 'VM deallocated' or powerState == 'VM stopped' 
| project name, resourceGroup, powerState, location 
| order by name asc 

Apply Naming, Tagging, and Lifecycle Standards: 

• Adopt consistent resource naming conventions and tagging requirements for ownership, environment, and expiration. 
• Automate tagging via deployment pipelines or Azure Policy for consistency. 

Pro Tip: Automate Cleanup 

• Build recurring workflows with Azure Automation runbooks or Logic Apps.
• Flag inactive objects and notify resources owners before automatic removal.

4. Missing Logs = Blind Security: Missing Log Configuration on Azure Resources

No logs = no visibility. Without proper logging, breaches, misconfigurations, or insider activity can fly under the radar.  

Logging is the backbone of cloud observability and security. Yet, in many Azure environments, critical resources are provisioned without proper diagnostic settings, leaving teams without visibility into performance, access, or potential compromise. 

Common Symptoms 

• Resources like Virtual Machines, Storage Accounts, Key Vaults, Databases, and App Services do not have diagnostic logs enabled. 
• Logs aren’t routed to a central Log Analytics Workspace (LAW), SIEM, or secure storage. 
• Inconsistent or absent log retention policies across teams or subscriptions.  

Without logs, security teams operate blind, and incidents may only be discovered after significant damage.  

Why It Matters 

Logs are the foundation of detection, investigation, and compliance. Without them, you’re flying blind.  

What to Check Right Now

1.) Are all critical resources logging to a central destination? 
2.) Are retention policies consistent and compliant? 
3.) Are diagnostic settings deployed at scale for all subscriptions and management groups? 

Recommended Fixes 

Enforce Diagnostic Settings at Scale 

• Use built-in Azure Policies to automatically audit and deploy diagnostics, such as: 
  – Audit Diagnostic Settings 
  – Deploy Diagnostic Settings for Key Vault 
  – Audit VMs without Monitoring Agent 
• Assign these policies at management group or subscription level for wide coverage. 

Confirm Logging Across Resource Types 

• List diagnostic settings for resource groups or resource types using the CLI:
   
  az monitor diagnostic-settings list –resource-group <resource-group-name> 
  
• Identify gaps and generate a remediation plan based on priority. 

Centralize Log Routing and Retention 

• Forward logs to: 
  – A Log Analytics Workspace (LAW) for structured queries and alerts 
  – A SIEM platform (e.g., Microsoft Sentinel, Elastic, SentinelOne Singularity) for threat detection 
  – Or secure storage with immutable retention policies for compliance 

Enable Additional Monitoring Signals 

• Activity Logs: Track control-plane activity and administrative actions. 
• VMInsights: Provide rich OS-level visibility for virtual machines. 
• Defender for Cloud logs: Monitor workload-level vulnerability and threat detection. 

Pro Tip: Continuous Coverage 

• Build a “Log Coverage Report” with Azure Monitor Workbooks or custom Resource Graph queries.  
• Use this to continuously assess and visualize log gaps across all assets in your tenant. 

5. Azure Admins Without PIM or Role Controls: A Ticking Time Bomb

Without Just-in-Time (JIT) and Privileged Identity Management (PIM), a single compromised admin can put your entire environment at risk. 

What to Watch For (Common Symptoms) 

• High-privilege roles (Global Admin, User Access Administrator, Owner) assigned permanently to user accounts or groups. 
• No guardrails in place for role assignment, expiration, or user justification. 
• Lack of auditing or monitoring on administrative role usage. 

Permanent admin assignments create a latent breach vector. Attackers are big fans of accounts that never expire. 

Why It Matters 

Violates least privilege and zero trust. Attackers actively target standing admin roles to move laterally. Compliance frameworks demand temporary, auditable, controlled privileged access.  

What to Check Right Now

1.) Which users or groups hold permanent high-privilege roles? 
2.) Are there no approval workflows or time limits in place? 
3.) Is JIT VM access enabled for administrative connections? 

Recommended Fixes 

Enable Privileged Identity Management (PIM) 

• Apply PIM to all high-impact roles including: 
  – Global Administrator 
  – Security Administrator 
  – Owner, Contributor (for resource-level RBAC) 
• Enforce:
  – Time-bound access (e.g., 4-hour windows) 
  – Justification and MFA for elevation 
  – Approval workflows for sensitive roles 

Audit and Rotate Standing Privileges 

• Review all current assignments to high-privilege roles by navigating to the Azure Portal and exporting the assignment list from PIM. 
• Remove or transition permanent assignments to eligible assignments under PIM. 
• Use Continuous Access Evaluation (CAE) in Entra ID to revoke access quickly if user risk changes or session anomalies are detected. 

Apply Just-In-Time Access 

• In addition to PIM for identity roles, configure Just-in-Time VM access via Defender for Cloud. 
• This locks down inbound RDP/SSH and only opens access upon authorized request for a limited time. 

Pro Tip: Continuous Monitoring 

• Integrate audit logs from PIM and JIT into a SIEM (e.g., Microsoft Sentinel).
• Monitor privilege elevations to detect unusual patterns and get early warnings on potential misuse.  

CSPM Assessment: Fast, Focused, Continuous

Traditional audits provide only a snapshot in time. Azure environments evolve constantly, and point-in-time reviews cannot keep up. Cloud Security Posture Management, or CSPM, changes that. It delivers automated visibility, intelligent detection, and prioritized remediation, giving your team both immediate and ongoing security improvements.

Bottom line: CSPM turns “Oops, Azure did it again” into “Got it covered.”

Why CSPM Matters

Even small misconfigurations can have major consequences:

• Ransomware exposure – open ports and stale accounts are actively exploited.
• Compliance failures – HIPAA, PCI DSS, ISO 27001, and other frameworks require proper access controls and audit trails.
• Unexpected downtime – misconfigurations can disrupt critical workloads.
• Reputational damage – customers expect reliable operations, not incident disclosures.

CSPM gives you continuous, automated insight into your environment. It identifies the misconfigurations that cause the most risk, including overly permissive access, stale identities, missing logs, credential misuse, and standing admin privileges. Every finding is tied to context, severity, business impact, and compliance requirements, so you know exactly what to fix first.

With CSPM in place, you move from reacting to incidents to preventing them. From scrambling before audits to walking in prepared. From hoping you are secure to knowing exactly where you stand.

What You Get with a CSPM Assessment

A CSPM assessment from Fortress SRM is conducted by our veteran cloud security analysts using modern tooling to deliver rapid visibility, automated detection, and actionable remediation tailored to your Azure environment.

• Rapid visibility – every user, resource, and permission across your Azure tenant.
• Automated detection – misconfigurations and security gaps with context and priority.
• Actionable remediation – clear, tailored steps for your environment.
• Continuous posture improvement – structured, ongoing cloud security management.

Next Step

Do not wait for an auditor or an attacker to uncover your risks. Fortress SRM provides hands-on support and continuous improvement to help you stay ahead of threats and ensure compliance.

Contact Fortress SRM to schedule your Azure CSPM Assessment and see exactly where your risks are and how to fix them fast.

The post Oops, Azure Did It Again: 5 Risks You Can’t Ignore appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s November Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 63 vulnerabilities disclosed 
  – 4 rated Critical, 1 Zero-Day (actively exploited) 

• Adobe Security Updates: 
  – 29 vulnerabilities patched across 8 products 
  – 23 rated Critical, affecting InDesign, inCopy, Photoshop, Illustrator, Illustrator Mobile, Pass, Substance 3D Stager, and Format Plugins 

• High-Severity Advisories from Major Vendors: 
  – Cisco: 3 critical-severity flaws and 1 high-severity flaws, in Unified CCX, Secure Firewall ASA, Secure FTD, IOS/IOS XE/IOS XR, ISE RADIUS 
  – Fortinet: 1 medium-severity flaw in FortiOS 
  – Ivanti: 1 high-severity flaw in Ivanti Endpoint Manager 
  – SAP: 3 critical vulnerabilities in NetWeaver AS Java, SQL Anywhere Monitor, and Solution Manager
  – Google Chrome: 1 high-severity flaw fixed in security updates 
  – Mozilla Firefox: 9 high-severity flaws fixed in security updates  

• Top Threats to Watch: 
  – Microsoft Teams Exploitation – Vulnerabilities enabling impersonation, message manipulation, and spoofing in Teams 
  – Advanced Persistent Threat (APT) Activity – Increased operations by China-, Iran-, and North Korea-aligned groups 
  – AI-Driven Cyberattacks – Threat actors leveraging AI for prompt injection, social engineering, and malware  
  – Sophisticated Social Engineering Campaigns – Large-scale smishing, phishing kits like Quantum Route Redirect, and gift card fraud  

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. October’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices 
  – Increased exposure to vulnerabilities and compliance risks 

• Continued support requires either:  
  – Enrolling in Microsoft’s paid ESU program, or 
  – Upgrading to Latest Version of Windows 11 

Need help planning your transition? 
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure. 

Patch Tuesday Summary

Microsoft November 2025 Patch Tuesday 
63 vulnerabilities disclosed, including 4 critical and 1 zero-day. By category:

• 29 Elevation of Privilege 
• 16 Remote Code Execution 
• 11 Information Disclosure 
• 3 Denial of Service 
• 2 Security Feature Bypass 
• 2 Spoofing 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

Microsoft November 2025 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Cisco *

Cisco Security Advisories

Fortinet *

Fortinet PSIRT Advisories

Ivanti *

Ivanti November 2025 Security Update

SAP *

SAP November 2025 Security Notes

Google Chrome

• Version: 142.0.7444.175/.176 (Windows and Mac), 142.0.7444.175 (Linux) 
• Release Date: November 11, 2025 
• Key Fixes: Security fix for CVE-2025-13223 and CVE-2025-13224 

Chrome Release Notes 

Mozilla Firefox 

• Version: Firefox 145 
• Release Date: November 11, 2025 
• Key Fixes: Security fix for 9 high severity CVE’s, including CVE-2025-13021, CVE-2025-13022, CVE-2025-13012, CVE-2025-13023, CVE-2025-13016, CVE-2025-13024, CVE-2025-13025, CVE-2025-13026, CVE-2025-13027 

Firefox Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – November 2025

The following resources are grouped by threat type / category. 

Emerging Threats

Exploiting Microsoft Teams: Impersonation and Spoofing Vulnerabilities Exposed 
Check Point Research uncovered four vulnerabilities in Microsoft Teams that allowed attackers to impersonate executives, manipulate messages, spoof notifications, and forge identities in video and audio calls. Read more → 

APT Activity Report Q2 2025–Q3 2025 
ESET’s APT Activity Report for Q2–Q3 2025 highlights increased operations by China-aligned groups using adversary-in-the-middle techniques, Iran-aligned actors ramping up internal spearphishing, and North Korea-aligned hackers expanding cryptocurrency attacks into new regions like Uzbekistan. Read more → 

Preparing for Threats to Come: Cybersecurity Forecast 2026 
Google Cloud’s Cybersecurity Forecast 2026 predicts that threat actors will fully embrace AI-driven attacks, using techniques like prompt injection and AI-enabled social engineering, while defenders counter with AI agents and advanced identity management. Read more → 

Ransomware & Malware Deployment

Uncovering Qilin Attack Methods Exposed Through Multiple Cases 
The Qilin ransomware group (formerly Agenda) has emerged as one of the most prolific ransomware threats, using a double-extortion model that combines file encryption with public data leaks. Read more → 

Social Engineering Exploits

Jingle Thief: Inside a Cloud Based Gift Card Fraud Campaign 
The Jingle Thief campaign is a cloud-based gift card fraud operation exploiting Microsoft 365 environments using phishing and smishing, run by financially motivated threat actors based in Morocco.  Read more →  

The Smishing Deluge: China-Based Campaign Flooding Global Text Messages 
The Smishing Deluge campaign, attributed to the Smishing Triad, is a large-scale, decentralized smishing operation using fraudulent SMS messages about toll violations and package misdelivery to steal sensitive data. Read more → 

Quantum Route Redirect: Anonymous Tool Streamlining Global Phishing Attack 
The Quantum Route Redirect phishing kit is an advanced automation platform that streamlines global phishing campaigns targeting Microsoft 365 users, turning complex setups into simple one-click launches. Read more → 

Black Friday Scams – How to Detect the Red Flags and Protect your wallet and Data 
Cybercriminals are exploiting Black Friday shopping trends with scams that use fake retail websites, phishing emails, and malicious ads to steal payment information and personal data. Read more → 

AI-Driven Threats

First Vulnerability in OpenAI Atlas Browser, Allowing Injection of Malicious Instructions into ChatGPT 
LayerX discovered the first vulnerability in OpenAI’s ChatGPT Atlas browser, which allows attackers to inject malicious instructions into ChatGPT’s memory via a Cross-Site Request Forgery (CSRF) exploit. Read more →  

GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools 
Google Threat Intelligence reports that threat actors have moved beyond using AI for productivity and are now deploying AI-enabled malware that dynamically generates malicious scripts and evades detection. Read more → 

HackedGPT: Novel AI Vulnerabilities Open the Door for Private Data Leakage 
Tenable Research has discovered seven vulnerabilities and attack techniques in ChatGPT, including unique indirect prompt injections, exfiltration of personal user information, persistence, evasion, and bypass of safety mechanisms. Read more → 

Recommended Actions

Mitigations

• Apply all Microsoft November Patch Tuesday updates, prioritizing critical and zero-day CVEs (e.g., CVE-2025-62215). 
• Upgrade or enroll in Extended Security Updates (ESU) for Windows 10 devices to maintain compliance and reduce exposure. 
• Patch third-party applications promptly, especially Adobe, Cisco, and SAP products with critical vulnerabilities. 
• Harden email and collaboration platforms (Microsoft 365, Teams) against phishing and impersonation attacks by enabling safe links, anti-spoofing policies, and conditional access. 

Monitoring

• Monitor for signs of exploitation of zero-day vulnerabilities and critical CVEs in Microsoft and third-party products. 
• Track anomalous login activity, especially from new geolocations or impossible travel scenarios, to detect APT and social engineering campaigns. 
• Watch for large-scale smishing/phishing attempts and suspicious redirects (Quantum Route Redirect indicators). 
• Enable cloud app security monitoring for Microsoft 365 and Google Workspace to detect unauthorized gift card issuance or mailbox rule changes. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy → 

The post Threat and Security Update – November, 2025 appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s October Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Windows 10 End of Support 
  – Final patch released October 14 
  – No more updates unless enrolled in Extended Security Updates (ESU) or upgraded to Windows 11 
  – Now is the time to assess your upgrade path 
  
• Microsoft Patch Tuesday: 
  – 175 vulnerabilities disclosed 
  – 17 rated Critical, 6 are Zero-Day (3 actively exploited) 

• Adobe Security Updates: 
  – 36 vulnerabilities patched across 12 products 
  – 24 rated Critical, affecting Illustrator, FrameMaker, Creative Cloud, and more 

• High-Severity Advisories from Major Vendors: 
  – Cisco: 4 high-severity flaws, including SNMP RCE and Secure Boot bypass 
  – Fortinet: 2 high-severity flaws in FortiPAM and FortiOS 
  – SAP: 3 critical vulnerabilities in NetWeaver, Print Service, and SRM 
  – Ivanti: 5 high-severity flaws in EPMM and Neurons for MDM 

• Top Threats to Watch: 
  – Crimson Collective targeting AWS with leaked keys and extortion tactics 
  – VMware CVE-2025-41244 zero-day exploited for privilege escalation 
  – Quishing 2.0: QR code phishing attacks evolving in sophistication 
  – Ransomware Cartel: LockBit, DragonForce & Qilin collaborating 
  – Oyster Malware via fake Microsoft Teams installers 
  – Weaponized DFIR Tools: Velociraptor abused in ransomware attacks 
  – AI-Driven Threats: ShadowLeak zero-click exploit in ChatGPT; AI-generated phishing and malware 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. This month’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

What This Means for Your Organization: 

• No more security patches or bug fixes for Windows 10 devices 
• Increased exposure to vulnerabilities and compliance risks 
• Continued support requires either:  
  – Enrolling in Microsoft’s paid ESU program, or
  – Upgrading to Windows 11 

Need help planning your transition? 
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure. 

Patch Tuesday Summary

Microsoft October 2025 Patch Tuesday 
175 vulnerabilities disclosed, including 8 critical and 6 zero-days. By category: 

• 80 Elevation of Privilege 
• 31 Remote Code Execution
• 28 Information Disclosure
• 11 Security Feature Bypass 
• 11 Denial of Service 
• 10 Spoofing 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins → 

Cisco *

Cisco Security Advisories → 

Fortinet *

Fortinet PSIRT Advisories → 

Ivanti *

Ivanti October 2025 Security Update → 

SAP *

SAP October 2025 Security Notes → 

Google Chrome

• Version: 141.0.7390.107/.108 (Windows and Mac), 141.0.7390.107 (Linux) 
• Release Date: October 14, 2025 
• Key Fixes: Security fix for CVE-2025-11756 

Chrome Release Notes → 

* Not handled by Fortress SRM. 

Threat Intelligence Trends – October 2025

The following resources are grouped by threat type / category. 

Emerging Threats

Crimson Collective Targeting Cloud Environments 

A newly identified threat group, Crimson Collective, has been observed compromising AWS environments using leaked long-term access keys. They escalate privileges via IAM policies, exfiltrate sensitive data, and follow up with extortion attempts. Read more →  

Zero-Day Alert: VMware CVE-2025-41244 Privilege Escalation 

NVISO Labs identified active exploitation of CVE-2025-41244, a local privilege escalation flaw in VMware’s guest service discovery. The vulnerability allows attackers to elevate privileges and potentially pivot within virtualized environments. Read more → 

Quishing 2.0: QR Code Phishing Evolves 

Cybercriminals are refining quishing attacks using fake QR codes embedded in emails, flyers, and public spaces. These codes redirect users to phishing sites or initiate malware downloads. Read more → 

Ransomware & Malware Deployment

LockBit, DragonForce & Qilin Form Ransomware Cartel 

Three major ransomware groups have formed a criminal cartel to coordinate attacks and share infrastructure. Read more →  

Malvertising Campaign: Oyster Malware via Fake Teams Installers 

Threat actors are using SEO poisoning and malicious ads to distribute trojanized Microsoft Teams installers. These fake installers deploy Oyster (aka Broomstick), a modular backdoor that enables persistent remote access and stealthy data exfiltration. Read more → 

Velociraptor DFIR Tool Weaponized 

Threat actors are abusing the legitimate Velociraptor forensic tool to deploy ransomware like LockBit and Babuk. This marks a troubling trend of security tools being repurposed for attacks. Read more →

Group: Storm-2603 (China-based) 

Cephalus Ransomware via DLL Sideloading 

A new ransomware variant, Cephalus, uses DLL sideloading through SentinelOne binaries and RDP access without MFA. Read more → 

Cloud & Infrastructure Exploits

SonicWall SSLVPN Exploitation 

Akira ransomware actors are exploiting SonicWall VPNs using BYOVD techniques and clearing logs to evade detection. Read more → 

Discord Data Breach via Third-Party Vendor 

A breach at Discord’s support vendor exposed 70,000 government ID photos and personal data. Read more → 

Clop Claims Oracle E-Business Suite Data Theft 

The Clop ransomware group has reportedly sent extortion emails claiming to have stolen data from Oracle E-Business Suite environments. While the full scope of the breach is unclear, the tactic aligns with Clop’s recent shift toward data-centric extortion rather than encryption. Read more → 

AI-Driven Threats

AI-Powered Malware & Phishing 

Russia-linked groups are using AI to generate phishing lures and malware like WRECKSTEEL and GIFTEDCROOK. Read more → 

Zero-Click AI Exploit: ShadowLeak Vulnerability in ChatGPT 

Radware disclosed ShadowLeak, a zero-click prompt injection vulnerability in ChatGPT’s enterprise integrations. Malicious emails can silently trigger data exfiltration from OpenAI’s servers without user interaction, bypassing traditional security controls. Read more → 

Recommended Actions

Mitigations

• Prioritize patching all actively exploited zero-days from Microsoft and VMware. 
• Disable unused services on Cisco IOS XE and Fortinet appliances to reduce attack surface. 
• Enforce MFA across all cloud and identity platforms. 
• Restrict QR code scanning on unmanaged devices to mitigate quishing attacks. 
• Update endpoint protection to detect AI-generated malware variants. 

Monitoring

• Watch for suspicious authentication attempts in Azure, Fortinet, and Ivanti logs. 
• Monitor for unexpected outbound traffic from Teams or Office installations (possible Oyster malware). 
• Track file uploads and downloads in SAP SRM and Print Service environments. 
• Set alerts for SNMP activity spikes on Cisco devices (possible CVE-2025-20352 exploitation). 

Detection Tips

• Use YARA or Sigma rules to detect:  
  – Velociraptor misuse in ransomware campaigns 
  – ShadowLeak zero-click exploit indicators in AI platforms 
• Deploy honeypots or deception tools to detect brute-force attempts on FortiPAM and Secure Boot bypass attempts on Cisco IOS XE.  
• Leverage threat intel feeds to identify Crimson Collective and LockBit cartel infrastructure. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy → 

The post Threat and Security Update – October, 2025 appeared first on Fortress SRM.