Front Page

Cybersecurity Intelligence

RansomHouse Claims Trellix Breach, Publishing Evidence of Source Code and Internal Infrastructure Access

RansomHouse named cybersecurity vendor Trellix on its dark web leak site on May 7, claiming a compromise initiated April 17. The group published screenshots showing access to source code repositories alongside what researchers identified as internal VMware, Rubrik, and Dell EMC system interfaces.

Trellix confirmed unauthorized access to "a portion" of its source code repository and engaged forensic experts while notifying law enforcement. The primary investigative concern is whether the breach extended to development secrets, code-signing credentials, or exploitable product logic that could be weaponized against Trellix's enterprise customer base.

Linux Security

"Copy Fail" (CVE-2026-31431): Page-Cache Privilege Escalation Creates an Undetectable Forensic Blind Spot on Linux

CVE-2026-31431, dubbed "Copy Fail," enables local root escalation by corrupting the page-cache representation of privileged binaries without touching on-disk files. An attacker abuses the AF_ALG socket interface and splice() to write into cached copies of executables such as /usr/bin/su, yielding root upon next execution.

CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog, with FCEB agencies required to patch by May 15. Standard disk forensics find nothing — the on-disk binary is unmodified. Live memory acquisition at the moment of exploitation is the only reliable detection method, making volatile-memory collection a first-response requirement on any suspected Linux host.

Threat Bulletin

ACTIVE EXPLOIT
CVE-2026-0300

Palo Alto PAN-OS — buffer overflow in the User-ID Authentication Portal enables unauthenticated RCE with root privileges; CVSS 9.3. Exploited since April 9 by state-sponsored cluster CL-STA-1132 for espionage. Forensic Note: Capture PA-Series disk images before patching; examine management-process core dumps and auth portal access logs for shellcode injection artifacts.

HIGH
CVE-2026-23918

Apache HTTP Server 2.4.66 mod_http2 — double-free in stream cleanup enables DoS and potential RCE via HTTP/2 early RST attack; CVSS 8.8. Fixed in version 2.4.67. Forensic Note: Examine worker-process core dump files and httpd error logs for double-free crash signatures; review HTTP/2 stream identifiers in access logs preceding service disruptions.

Malware Spotlight

BARADAI Ransomware

File-encrypting ransomware identified by CYFIRMA researchers in May 2026 through underground forum monitoring. BARADAI targets a wide range of local and network file types, appending a distinct extension and deploying a ransom note — no public decryptor currently exists. Forensic Note: Preserve shadow copy metadata and Volume Change Journal before any recovery action; encrypted file timestamps reveal the encryption sweep order.