Today’s roundup
Microsoft rejects critical Azure vulnerability report, no CVE issued
Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt
Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming
Canvas hack: is it ever a good idea to pay a ransom, and what happens to the data?
Pwn2Own Berlin 2026, Day Three: DEVCORE Crowned Master of Pwn, $1.298 Million Total
Russian APT Turla builds long-term access tool with Kazuar Botnet evolution
Summary
A security researcher claims Microsoft silently patched a critical Azure Backup for AKS vulnerability after rejecting his report and without issuing a CVE. Microsoft disputes this, stating no product changes were made, despite the researcher providing documentation of a fix. This incident raises concerns about vulnerability disclosure and patching in cloud services.
Grafana disclosed a security incident where an unauthorized party obtained a GitHub token, granting access to their GitHub environment and allowing for the download of its codebase. The company confirmed no customer data or personal information was accessed, and no impact on customer systems or operations has been found, though an extortion attempt followed the breach.
A critical security vulnerability affecting the WordPress Funnel Builder plugin is under active exploitation. Attackers are injecting malicious JavaScript into WooCommerce checkout pages to skim payment data. This flaw currently lacks an official CVE identifier, and details of the ongoing activity were published by Sansec.
Instructure, the operator of the educational platform Canvas, reportedly reached an agreement with attackers behind a recent ransomware attack, implying a ransom payment. The incident resulted in outages, the theft of hundreds of millions of students' data, and defaced login pages. Experts generally advise against paying ransoms, but companies often consider it to protect user privacy.
Pwn2Own Berlin 2026 concluded with the discovery of 47 unique zero-day vulnerabilities and a total payout of $1,298,250. Team DEVCORE was crowned "Master of Pwn" with 50.5 points and $505,000. Notable exploits on the final day included Microsoft SharePoint, VMware ESXi, OpenAI Codex, and multiple privilege escalations on Windows 11 and Red Hat Enterprise Linux. Vendors now have 90 days to issue fixes.
The Russia-linked APT group Turla, also known as Secret Blizzard, has evolved its Kazuar backdoor into a sophisticated modular peer-to-peer (P2P) botnet for long-term, stealthy access to compromised systems. Microsoft researchers detailed the botnet's architecture, which includes Kernel, Bridge, and Worker modules designed to minimize external network visibility and maintain persistent intelligence collection capabilities, primarily targeting government and diplomatic entities.
Want to dig deeper?
Cyber Groups
| Turla | IRON HUNTER, Group 88, Waterbug, WhiteBear, Snake, Krypton, Venomous Bear, Secret Blizzard, BELUGASTURGEON |
| Blizzard | Russia |
Malware Families