CyberNews: 23/05/2026 Edition

Today’s roundup

Summary

Dutch financial crime investigators (FIOD) arrested two individuals and confiscated 800 servers linked to a web hosting company. This firm was allegedly facilitating various cyberattacks, interference operations, and disinformation campaigns, marking a significant disruption to cybercriminal infrastructure.

Cybersecurity researchers have identified a software supply chain attack targeting multiple PHP packages belonging to Laravel-Lang, including laravel-lang/lang and laravel-lang/http-statuses. The campaign delivers a comprehensive credential-stealing framework, impacting applications utilizing these widely used packages.

A critical security vulnerability, CVE-2026-48172 (CVSS 10.0), in the LiteSpeed User-End cPanel Plugin is under active exploitation. The flaw involves incorrect privilege assignment, allowing an attacker with cPanel user access to execute arbitrary scripts with elevated root permissions on affected systems.

The U.S. CISA has added a recently patched critical SQL injection vulnerability, CVE-2026-9082 (CVSS 6.5), affecting all supported versions of Drupal Core, to its Known Exploited Vulnerabilities (KEV) catalog. This addition confirms evidence of active exploitation in the wild.

European and North American authorities, including France and the Netherlands, have successfully dismantled "First VPN Service" in Operation Saffron. This criminal VPN was used by at least 25 ransomware groups and other cybercriminals to obscure ransomware attacks, data theft, and denial-of-service operations.

Lawmakers are demanding answers from the U.S. CISA following reports that a contractor intentionally published AWS GovCloud keys and other agency secrets on a public GitHub account, designated "Private-CISA." CISA is reportedly still working to invalidate and replace leaked credentials, which included an RSA private key granting full access to CISA-IT GitHub repositories, raising concerns about the agency's internal security and contractor management.

The Belarus-aligned APT group Ghostwriter (UAC-0057/UNC1151) is targeting Ukrainian government entities with a new phishing campaign. Lures related to the legitimate Prometheus online learning platform are used in emails from compromised accounts, delivering PDF attachments that lead to a JavaScript file (OYSTERFRESH), which then drops obfuscated malware (OYSTERBLUES) and a decoder (OYSTERSHUCK), ultimately deploying Cobalt Strike for persistent system access. CERT-UA advises restricting wscript.exe for regular users.

CISA has introduced a new nomination form, allowing cybersecurity researchers, vendors, and industry partners to report actively exploited vulnerabilities for inclusion in its Known Exploited Vulnerabilities (KEV) catalog. This initiative aims to enhance the KEV list's comprehensiveness and timeliness.

The FBI has issued an advisory regarding Kali365, a Telegram-based phishing-as-a-service (PaaS) platform. This service allows cybercriminals to capture legitimate OAuth tokens, enabling widespread unauthorized access to Microsoft 365 environments following successful phishing attacks, with activity observed in April.

Canadian authorities have arrested and charged Jacob Butler for allegedly operating the KimWolf DDoS botnet. The U.S. Justice Department indicates that KimWolf functioned as a DDoS-for-hire service, infecting over a million devices worldwide, signifying a major disruption to a significant cybercriminal enterprise.

Want to dig deeper?

Vulnerabilities

Malware Families