Detailed write-ups
Turla turns Kazuar into a modular P2P botnet (May 14)
Microsoft attributes Kazuar’s new modular architecture (Kernel, Bridge, Worker components) to Turla / Secret Blizzard, affiliated with Russia’s FSB Center 16. The malware supports HTTP, WebSockets, and Exchange Web Services (EWS) for C2, has 150+ config parameters, and includes AMSI/ETW bypasses. Government, diplomatic, and defense targets in Europe and Central Asia. Read alongside the BleepingComputer and Hacker News reporting for full context.
Sources: Microsoft Security Blog · The Hacker News · BleepingComputer
Dirty Frag (May 7–13) and Fragnesia (May 13)
A chained pair of bugs in the Linux kernel’s ESP/IPsec and RxRPC paths — CVE-2026-43284 and CVE-2026-43500 (Dirty Frag) — allows reliable LPE to root across Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream. Public PoC pre-dated patches. Then the patch for one of the Dirty Frag bugs accidentally activated a related bug in XFRM ESP-in-TCP, disclosed May 13 by William Bowling (Zellic) and the V12 security team as Fragnesia (CVE-2026-46300). PoC released. Mitigation for both: unload/denylist esp4, esp6, rxrpc modules.
Sources: Hacker News (Dirty Frag) · Hacker News (Fragnesia) · Help Net Security
Microsoft Exchange Server zero-day CVE-2026-42897 (May 14)
CVSS 8.1 cross-site scripting flaw in on-prem Exchange enables unauthorized spoofing. Active exploitation observed; Microsoft published mitigations on May 16 while a permanent fix is prepared. Immediate response for any hybrid or on-prem Exchange estate.
Sources: SecurityWeek
Cisco Catalyst SD-WAN authentication bypass CVE-2026-20182 (May 14–15)
CVSS 10.0 — maximum severity. Cisco attributes active exploitation to UAT-8616, the same cluster that weaponized CVE-2026-20127. CISA added the bug to its Known Exploited Vulnerabilities catalog on May 15 with a federal remediation deadline of May 17.
Sources: BleepingComputer
PraisonAI exploited four hours after disclosure (May 11)
CVE-2026-44338 (CVSS 7.3): missing authentication in the open-source multi-agent orchestration framework PraisonAI exposes sensitive endpoints. The advisory was published at 13:56 UTC; the first exploit attempt landed at 17:40 UTC the same day. A stark data point for AI infrastructure exposure-to-exploit timelines.
Sources: The Hacker News · CSO Online
FamousSparrow targets Azerbaijani oil and gas (May 13)
China-linked FamousSparrow ran a multi-wave intrusion against an Azerbaijani oil & gas company from late December 2025 through late February 2026, attributed with moderate-to-high confidence. South Caucasus energy-sector targeting fits broader Chinese strategic-resource collection priorities.
Sources: Dark Reading
Ghostwriter resumes Ukraine government attacks (May 14)
Belarus-aligned Ghostwriter attributed to a fresh set of attacks against Ukrainian governmental organizations. Coverage continues the established pattern of regional state-aligned cyber operations.
Sources: Security Affairs
Crimenetwork takedown and Mallorca arrest (May 15)
German authorities, with Spanish National Police, dismantled the relaunched Crimenetwork dark-web marketplace and arrested its 35-year-old suspected operator at his residence in Mallorca under a European Arrest Warrant. The site had 22,000+ users, 100+ vendors, €3.6M commissions, and used BTC/LTC/XMR. Server infrastructure, user database, communications, and transaction logs were preserved — expect downstream prosecutions.
Sources: SecurityWeek
Supply chain: node-ipc, Jenkins AST, GemStuffer
Three malicious node-ipc npm versions (9.1.6, 9.2.3, 12.0.1) published with obfuscated stealer/backdoor behavior. Checkmarx confirmed a modified Jenkins AST plugin published to the Jenkins Marketplace on May 11. Socket researchers dubbed a new RubyGems campaign GemStuffer: 150+ gems using the registry as a data-exfil channel rather than malware delivery.
Sources: The Hacker News (node-ipc) · CISO Series / Socket (GemStuffer) · Checkmarx (Jenkins AST)
|
