Today’s roundup
Amazon: Drone strikes damaged AWS data centers in Middle East
University of Hawaiʻi Cancer Center confirms data leak following ransomware attack
Android devices hit by exploited Qualcomm flaw CVE-2026-21385
Russia-linked APT28 exploited MSHTML zero-day CVE-2026-21513 before patch
Chrome security flaw enabled spying via Gemini Live assistant
Phishing campaign exploits OAuth redirection to bypass defenses
Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication
That AI You Confide in May Be an Open Book: Researchers Find Cloud Keys, Exposed Conversations, and Injectable Chat in Companion Apps
SloppyLemming Targets Pakistan and Bangladesh Governments Using Dual Malware Chains
Huge “Shadow Layer” of Organizations Hit by Supply Chain Attacks
Summary
Amazon confirmed that drone strikes caused physical damage to three Amazon Web Services (AWS) data centers in the United Arab Emirates and one in Bahrain, leading to extensive outages for cloud computing services.
The University of Hawaii Cancer Center reported a ransomware attack in August 2025, compromising data of nearly 1.2 million individuals. Sensitive information, including driver’s license and voter registration data, was stolen from a Multiethnic Cohort Study.
Google released patches for 129 Android vulnerabilities, including an actively exploited zero-day (CVE-2026-21385, CVSS 7.8) in a Qualcomm display component. The update also addressed a critical System RCE (CVE-2026-0006, CVSS 9.8) and other high-severity Kernel/Hypervisor flaws.
Russia-linked APT28 exploited a high-severity MSHTML zero-day (CVE-2026-21513, CVSS 8.8) allowing code execution via security control bypass. Leveraged before Microsoft’s Feb 2026 patch, the flaw in ieframe.dll used crafted LNK files to bypass Mark of the Web and IE ESC.
Palo Alto Networks found a high-severity Chrome vulnerability (CVE-2026-0628), patched in Chrome 143, enabling malicious extensions to hijack the Gemini Live AI assistant. This flaw allowed privilege escalation, access to local files, camera/mic control, and screenshots by injecting JavaScript into the privileged panel.
Microsoft warned of phishing campaigns targeting government and public-sector organizations by exploiting legitimate OAuth URL redirection. This bypasses defenses, redirecting victims to attacker-controlled infrastructure for malware delivery via malicious LNK files or HTML smuggling.
A new phishing suite, Starkiller, uses Adversary-in-the-Middle (AitM) reverse proxy techniques to bypass MFA. Marketed by the Jinkusu threat group, it enables impersonation of brands and use of legitimate URLs for sophisticated phishing operations.
Oversecured identified severe vulnerabilities in popular AI companion apps, including hardcoded OpenAI API tokens and Google Cloud private keys. Cross-site scripting flaws also allowed code injection into chat interfaces, potentially exposing user conversations and backend infrastructure.
The SloppyLemming threat cluster conducted espionage attacks against government entities and critical infrastructure in Pakistan and Bangladesh from January 2025 to January 2026, using BurrowShell and a Rust-based malware.
Black Kite reported a "shadow layer" of 26,000 unnamed corporate victims linked to 136 third-party supply chain breaches, highlighting the widespread impact of vulnerabilities in extended supply chains.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| APT28 | IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch |