Front Page

Network Intrusion

SonicWall Gen6 VPNs Under Siege: An Incomplete Patch Lets Akira Bypass MFA and Land in Under an Hour

Defenders confirmed a coordinated campaign that began May 20 brute-forcing credentials against end-of-life SonicWall Gen6 SSL-VPN appliances and sailing past multi-factor authentication via CVE-2024-12802 — a missing MFA enforcement for the UPN login format. SonicWall rated the flaw 6.5; CISA's data publisher independently assessed it at 9.1, Critical.

The trap: the firmware fix alone does not close the hole — Gen6 owners must manually reconfigure the LDAP server, and the hardware reached end-of-life on April 16 with no further updates coming. Intrusions ran a tidy 30–60 minutes — log in, recon, test credential reuse, log out — with Akira ransomware tied to the bulk of follow-on claims. Forensic priority: preserve SSL-VPN authentication logs for UPN-format logins, snapshot LDAP configuration, and trace lateral movement from VPN-adjacent hosts before reimaging.

Data Breach

ShinyHunters Talks Its Way Into Carnival: A Social-Engineered Account Exposes 5.9 Million Travelers

Carnival began notifying 5,995,277 people in late May after an attacker socially engineered an employee on April 14 into granting access to part of the cruise operator's IT estate. Using the compromised account, the intruder reached a limited portion of systems by April 22 and copied personal data before being blocked; the extortion crew ShinyHunters claimed the theft.

Exposed records vary by individual but include names, addresses, dates of birth, email addresses, phone numbers, and government-issued ID numbers — effectively a ready-made identity-theft kit. Carnival is offering 24 months of credit monitoring. Forensic priority: reconstruct the help-desk and identity-verification workflow abused for initial access, scope the compromised account's full data-access timeline, and map exposed identifiers against downstream fraud and account-takeover reports.

Threat Bulletin

CRITICAL
CVE-2026-48172

LiteSpeed User-End cPanel Plugin — incorrect privilege assignment lets any authenticated cPanel user invoke the lsws.redisAble function through the standard cPanel JSON API to run arbitrary scripts as root; CVSS 10.0. Exploited as a zero-day and auto-uninstalled in cPanel's May 19 emergency patch; added to CISA KEV May 27. Forensic Note: Hunt cPanel API logs for lsws.redisAble calls, audit root-owned scripts and cron entries created by non-root users, and confirm the plugin was upgraded to v2.4.7 or later.

ACTIVE EXPLOIT
CVE-2026-41091

Microsoft Defender — elevation-of-privilege flaw lets a local attacker who already holds limited access abuse the antimalware service to obtain SYSTEM; CVSS 7.8. Added to CISA KEV May 20 alongside a Defender denial-of-service bug (CVE-2026-45498). Forensic Note: Review Defender operational logs and process-creation telemetry for unexpected SYSTEM-level child processes spawned from the antimalware service — a hallmark of post-access privilege escalation.

Malware Spotlight

Kazuar — Secret Blizzard P2P Botnet

Russia's Secret Blizzard (Turla) has rebuilt its long-running Kazuar backdoor into a modular peer-to-peer botnet engineered for stealthy, long-term espionage against government, diplomatic, and defense targets. Three module types — Kernel, Bridge, and Worker — split the work, and a leader-election scheme keeps all but one node silent to shrink the detection surface; C2 rides HTTP, WebSockets, or Exchange Web Services, with AMSI, ETW, and WLDP bypasses built in. Forensic Note: Favor behavioral detection over static signatures — hunt anomalous named-pipe/IPC patterns between hosts, irregular EWS traffic, and ETW/AMSI tampering, and treat any single beaconing "leader" as one node of many.