CyberNews: 10/02/2026 Edition

Today’s roundup

Summary

Senegal's Directorate of File Automation, responsible for national ID cards, passports, and biometric data, temporarily closed its offices following a ransomware attack. A new group, "Green Blood Group," claimed responsibility, alleging the theft of 139 GB of data, including citizen records and immigration documents. The attack reportedly occurred on January 19, 2026, targeting two servers managed by Malaysia's IRIS Corporation, which assists in creating Senegal's digital ID cards. One server had card personalization data stolen. Authorities are investigating, though initial statements sought to reassure citizens about data integrity.

Dutch authorities confirmed that the Dutch Data Protection Authority (AP) and the Council for the Judiciary were impacted by cyberattacks exploiting recently disclosed vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The incidents, detected around January 29, 2026, resulted in unauthorized access to work-related contact details of AP staff, including names, business email addresses, and phone numbers. The European Commission also detected a cyberattack on its mobile device management system on January 30, with potential access to staff names and mobile numbers, though no mobile devices were compromised and the system was cleaned within nine hours. Finland's government agencies also reportedly suffered related breaches.

Singapore's Cyber Security Agency (CSA) and the Infocomm Media Development Authority (IMDA) revealed that the China-linked APT group UNC3886 has been targeting Singapore's telecommunications sector since July 2025. In a coordinated response dubbed "Operation CYBER GUARDIAN," investigators found UNC3886 launched a deliberate campaign against all four major telcos—M1, SIMBA Telecom, Singtel, and StarHub. The sophisticated group exploited a zero-day vulnerability to bypass firewalls, exfiltrate network-related data, and deployed rootkits for persistent access, although no significant data theft or service disruption has been confirmed. The 11-month operation involved over 100 cyber experts to contain the threat.

Fortinet has issued an urgent advisory regarding a critical SQL Injection vulnerability (CVE-2026-21643) in FortiClientEMS, carrying a CVSS score of 9.1. The flaw allows an unauthenticated remote attacker to execute arbitrary code or commands on susceptible systems through specially crafted HTTP requests. The vulnerability affects FortiClientEMS version 7.4.4 and requires an upgrade to 7.4.5 or above for remediation. This issue was internally discovered by Fortinet's product security team.

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability, tracked as CVE-2026-1731 with a CVSS score of 9.9, affecting its Remote Support and older Privileged Remote Access products. The flaw, disclosed on February 6, 2026, could allow an unauthenticated attacker to execute operating system commands remotely by sending specially crafted requests. SaaS customers received automatic protection on February 2, but self-hosted deployments must manually apply patches (e.g., Remote Support patch BT26-02-RS or version 25.3.2+, Privileged Remote Access patch BT26-02-PRA or version 25.1.1+). Researchers estimate approximately 11,000 BeyondTrust Remote Support instances remain exposed online, with 8,500 being on-premise systems at risk if not updated.

Microsoft has observed multi-stage intrusions actively exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances. Threat actors are leveraging vulnerabilities in WHD to gain initial access to targeted networks, then move laterally to other high-value assets. The attacks involve deploying legitimate forensic tools, such as Velociraptor, for persistence and remote control once code execution rights are obtained. The specific vulnerabilities exploited were not clarified by Microsoft but confirm active and sophisticated campaigns against WHD systems.

SmarterTools confirmed that the Warlock ransomware gang, also known as Storm-2603, breached its network by exploiting an unpatched SmarterMail instance on January 29, 2026. The incident compromised a mail server that was not updated to the latest version. While the breach did not impact business applications or account data, the Warlock gang gained unauthorized access through this vulnerability.

Security researchers from LayerX have identified a new zero-click vulnerability affecting 50 Claude Desktop Extensions, which could lead to unauthorized remote code execution. Despite the severity of the flaw, which allows exploitation without user interaction, AI company Anthropic has reportedly declined to issue a fix. This leaves users of these specific desktop extensions vulnerable to potential compromise.

Leaked technical documents reveal that China is utilizing a sophisticated training platform to rehearse cyberattacks against the critical infrastructure of its neighbors. The platform is described as part of a large integrated system designed to allow attackers to practice hacking replicas of "real network environments" belonging to China's "main operational opponents in the South China Sea and Indochina directions." These documents underscore China's ongoing development of advanced cyber warfare capabilities against regional adversaries.

BridgePay Network Solutions, a payment technology provider for government entities in Texas and Florida, is working with the FBI and the U.S. Secret Service to resolve a ransomware attack. The incident led to system-wide outages, which BridgePay initially warned customers about on Friday. While services were taken offline, the company has reported no card data compromise following the attack.

Want to dig deeper?

Vulnerabilities