Today’s roundup
Payments platform BridgePay confirms ransomware attack behind outage
Germany warns of Signal account hijacking targeting senior figures
China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
CISA warns of SmarterMail RCE flaw used in ransomware attacks
Substack Confirms Data Breach, "Limited User Data" Compromised
CISA pushes Federal agencies to retire end-of-support edge devices
Illinois man pleads guilty to hacking hundreds of Snapchat accounts to steal nude photos
Norwegian intelligence discloses country hit by Salt Typhoon campaign
Discovering Negative-Days with LLM Workflows
Summary
Payments platform BridgePay, a major U.S. payment gateway and solutions provider, has confirmed a ransomware attack that resulted in a widespread outage affecting multiple services since Friday. The incident significantly disrupted its platform nationwide. This marks a critical event for financial infrastructure security.
Germany's domestic intelligence agency, the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI), has issued a joint advisory warning of suspected state-sponsored threat actors conducting phishing attacks via the Signal messaging app. High-ranking individuals including politicians, military personnel, and journalists are specifically targeted in this malicious cyber campaign.
A newly identified Linux-based toolkit named DKnife, operated by China-nexus threat actors since at least 2019, is being used as an Adversary-in-the-Middle (AitM) framework. It targets routers and edge devices to hijack traffic, perform deep packet inspection, and deliver malware in espionage campaigns. The framework comprises seven Linux-based implants.
CISA has issued a warning regarding CVE-2026-24423, an unauthenticated remote code execution (RCE) flaw in SmarterMail. This critical vulnerability is actively being exploited in ransomware attacks, prompting an alert from the U.S. Cybersecurity & Infrastructure Security Agency.
Substack, a popular newsletter platform, has confirmed a data breach. The incident compromised "limited user data," although the company did not specify the exact number of affected users. Investigations into the scope of the breach are ongoing.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-02, mandating federal civilian agencies to strengthen their management of edge network devices. Agencies must identify and replace all end-of-support devices, which no longer receive security updates, within the next 12 to 18 months to mitigate cyber risks.
An Illinois man, Kyle Svara of Oswego, has pleaded guilty to multiple charges, including aggravated identity theft, wire fraud, computer fraud, and conspiracy to commit computer fraud. He confessed to hacking hundreds of Snapchat accounts to steal nude photos, potentially facing decades in prison.
Norwegian intelligence has revealed that the country has been targeted by a cyber espionage campaign dubbed "Salt Typhoon," linked to Chinese security and intelligence services. The assessment indicates strengthened Chinese capabilities for cyber operations and human intelligence collection within Norway.
A new threat intelligence workflow has been developed using Large Language Models (LLMs) to detect vulnerabilities in open-source repositories before public CVE disclosure, termed "negative-days" and "never-days." This methodology successfully identified a command injection vulnerability in a canary release of `@next/codemod`, demonstrating the LLMs' capacity to monitor commits for security patches and potential exploits.
Want to dig deeper?
Vulnerabilities
Cyber Groups