A threat group called Silent Ransom (also tracked as UNC3753, Luna Moth, and Chatty Spider) has been hitting US law, financial, and professional services firms with a slick social engineering campaign between January and May 2026, according to Google's Mandiant division.

The attacks start with a fake invoice email, followed by a phone call from someone pretending to be IT support. Victims are talked into screen-sharing sessions and downloading remote access tools. In some cases, attackers physically showed up at offices with USB drives to steal data directly.

Once inside, the group moves fast — sometimes from initial contact to extortion demand in under an hour. Ransom demands come with a three-day deadline and threats to notify clients, partners, and journalists if victims don't comply.

Source: Dark Reading

A ransomware attack has forced Evanston Township High School to close its campus, canceling summer school, sports camps, and all on-campus activities. The attack, discovered Sunday, knocked out phone lines, internet, computers, and even the school's emergency notification and PA systems.

The FBI is now investigating alongside cybersecurity attorneys and forensic experts. No ransom demand has been received yet. Staff were told to stay home Monday, and students and teachers won't have building access for at least two days. District spokesperson Reine Hanna noted the summer timing reduced the overall impact. Google passwords for employees have already been reset as a precaution.

Source: CBS News Chicago

Lansing Community College (LCC) is notifying 174,307 people that their personal data was exposed in a breach discovered in February 2025 — more than a year after it happened. Hackers used compromised credentials to access systems, pulling names, addresses, dates of birth, driver's license details, and Social Security numbers.

LCC says there's no evidence the data was removed or misused, and that affected data varies by individual. The Michigan college is offering 24 months of free credit monitoring and identity protection to those impacted. No ransomware group has claimed responsibility.

Source: SecurityWeek

CISA has added CVE-2022-0492, a Linux kernel privilege escalation flaw, to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The vulnerability targets the cgroups v1 release_agent feature, allowing attackers to execute arbitrary commands with root-level access — and potentially break out of containerized environments entirely.

It's especially dangerous in cloud-native setups where containers rely on cgroups for resource isolation. Federal agencies must patch by June 5, 2026. Other organizations should move fast too — fixes include updating the kernel, disabling unprivileged user namespaces, and auditing container configurations for suspicious cgroup activity.

Source: Cybersecurity News

CISA is urging federal agencies to patch a critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2 within three days. The flaw, CVE-2026-45247, carries a near-perfect CVSS score of 9.8 and requires no authentication to exploit.

Attackers inject malicious PHP objects through the CacheWarmer cookie, which escalates to full remote code execution on Magento and Adobe Commerce servers. Imperva reports active exploitation began shortly after public disclosure on May 26. Thousands of stores are at risk — any running a version before 1.11.12 should update immediately.

Source: SecurityWeek

CISA added a critical SolarWinds Serv-U flaw, CVE-2026-28318, to its Known Exploited Vulnerabilities catalog on June 5, 2026, with a remediation deadline of June 19 for federal agencies.

The vulnerability lets unauthenticated attackers crash Serv-U file transfer software remotely by sending a malicious POST request with a Content-Encoding: deflate header — no credentials required. That zero-privilege, network-accessible attack path makes it especially dangerous for organizations with Serv-U exposed to the internet.

SolarWinds has released a fix in version 15.5.4 Hotfix 1. All organizations should patch immediately, restrict Serv-U exposure behind a firewall or VPN, and monitor logs for suspicious POST requests.

Source: Cybersecurity News

A critical vulnerability in the Everest Forms Pro WordPress plugin is under active attack, with over 29,300 exploitation attempts blocked since April 13, 2026. The flaw, CVE-2026-3300, scores a near-perfect 9.8 on the CVSS scale and affects all versions up to 1.9.12.

The bug lives in the plugin's "Complex Calculation" feature, where user inputs are passed directly into PHP's eval() function without proper sanitization. Attackers don't need credentials — they just submit a crafted form field. Most attacks aim to create rogue admin accounts, with one common payload creating a user named "diksimarina."

A patch (version 1.9.13) has been available since March 18. Update immediately.

Source: Cybersecurity News

A debug setting accidentally left enabled in production releases of six Microsoft Android apps — Word, Excel, PowerPoint, OneNote, Loop, and 365 Copilot — exposed users to potential account takeover at massive scale. Researchers at Enclave found the flaw disabled a security check that prevents untrusted apps from grabbing Microsoft authentication tokens.

Any malicious Android app could silently request and receive login tokens, giving attackers access to emails, Teams messages, and files. Worse, the stolen tokens were long-lived FOCI tokens that blend in with normal traffic, making detection nearly impossible. Microsoft has since patched all six apps across CVEs CVE-2026-41100 through CVE-2026-42832.

Source: Dark Reading

Bedfordshire Hospitals NHS Foundation Trust has revealed that personal data belonging to 32,927 patients was stolen and published online following a ransomware attack in June 2024. The breach hit a third-party supplier serving multiple healthcare organisations, and the stolen files — covering patients who had lab or diagnostic results between 2011 and 2020 — were later posted on dark web forums.

It took specialists over a year to piece together the fragmented, unstructured data before the trust could confirm what was taken. Exposed information may include names, dates of birth, NHS numbers, postcodes, and test results. The trust says there's no evidence the data has been misused, but is urging affected patients to stay alert to suspicious communications.

Source: BBC News

Kali365, a phishing-as-a-service platform the FBI warned about last month, has grown far more dangerous. Originally built to bypass MFA on Microsoft 365 accounts, it now targets AWS, Okta, Xerox DocuShare, and a range of Russian platforms — including MAX Messenger, a Kremlin-backed messaging app with over 80 million users.

Arctic Wolf researchers mapped 126 active malicious hosts operating between early and late May, all running the same kit. Kali365 exploits device code phishing, tricking victims into completing authentication on the attacker's behalf — making MFA useless. At least 14 similar kits are now circulating, and the threat is accelerating.

Source: Dark Reading