Ticker feed

Security researchers discovered a critical zero-click vulnerability called "Mail2Shell" in FreeScout, a popular open-source help desk application. The flaw (CVE-2026-28289) allows attackers to completely hijack mail servers without any user interaction or authentication.

The attack exploits a bypass in a recent security patch by using a hidden Unicode character (Zero-Width Space) in malicious email attachments. When FreeScout processes these crafted emails, the hidden character slips past security filters but gets stripped later, leaving dangerous files on the server.

With over 1,100 publicly exposed FreeScout instances used by healthcare, finance, and tech companies, this vulnerability poses serious risks. Successful attacks can lead to complete server takeover, data theft, and network infiltration. FreeScout released version 1.8.207 to fix the issue - administrators must update immediately.

Source: Cyber Security News

A Qualcomm graphics kernel vulnerability (CVE-2026-21385) is being exploited in "limited, targeted" attacks against Android devices. Google's March security bulletin flagged this high-severity flaw, which affects multiple chipsets and earned a 7.8 CVSS score.

Security experts believe the "limited, targeted" language suggests nation-state actors or commercial spyware vendors are behind the attacks, similar to previous Qualcomm zero-days linked to surveillance tools. The vulnerability requires local access and causes memory corruption during allocation.

Another critical flaw (CVE-2026-0047) allows privilege escalation without user interaction, though it needs existing device access. Patches are available through Qualcomm and Android's open source project, but users must wait for device manufacturers to deploy updates—a delay that matters when exploits spread rapidly.

Source: Dark Reading

Data breach notifications hit record highs last year, with 80% of Americans receiving at least one letter. The Identity Theft Resource Center says don't just toss these notices – they often include free identity protection services.

Experts recommend three key steps: freeze your credit (the most effective protection), change passwords on affected accounts, and consider adopting passkeys for future security. Parents should also freeze their children's credit.

The recent Conduent breach exemplifies delayed notifications – while disclosed in April, some of the 25 million affected people are just now receiving letters. Companies compromised names, Social Security numbers, and medical information, though no misuse has been detected yet.

Source: CBS News Philadelphia

Microsoft disclosed a critical zero-day vulnerability in Word (CVE-2026-21514) on February 10, 2026, that's being actively exploited by attackers. The flaw bypasses Word's security protections, allowing malicious documents to execute code without triggering the usual "Enable Content" warnings that alert users to threats.

The vulnerability affects multiple Office versions, including Microsoft 365, Office LTSC 2021/2024, and Mac editions. Attackers exploit it by sending specially crafted Word documents through phishing emails. When victims open these files, the exploit runs silently in the background.

Microsoft has released patches for all affected versions. CISA ordered federal agencies to update by March 3, 2026, highlighting the severity of this threat.

Source: Cybersecurity News

The UK's National Cyber Security Centre has warned British businesses with Middle East operations to boost their cyber defenses against Iranian hackers following recent US-Israeli military strikes. While Iran's political and military leadership has been devastated, including the death of Supreme Leader Ayatollah Ali Khamenei, the NCSC says Iranian cyber actors "almost certainly" maintain attack capabilities.

The agency sees "heightened risk" for UK firms with Middle East offices or supply chains, though direct threats to Britain remain unchanged. Iran previously launched major cyber attacks between 2012-2014 against US banks, Saudi Aramco, and Las Vegas casinos.

Cybersecurity experts note Iran isn't as sophisticated as China or Russia but remains dangerous. CrowdStrike reports seeing threatening Iranian activity, including denial-of-service attacks attempting to overwhelm servers with traffic.

Source: The Guardian

Madison Square Garden has officially confirmed a data breach months after the Cl0p ransomware group targeted its Oracle E-Business Suite system in August 2025. The hackers exploited zero-day vulnerabilities and stole over 210GB of data from MSG's third-party hosted system, including names and Social Security numbers of customers.

The breach was part of a larger cybercrime campaign that hit more than 100 organizations using Oracle's enterprise software. Cl0p publicly named MSG as a victim in November and leaked the stolen data after the company apparently refused to pay ransom demands.

MSG Entertainment is now notifying affected individuals, with at least 11 Maine residents confirmed impacted, though the total number of victims remains unclear.

Source: Security Week

Security researchers have published exploit code for CVE-2026-2441, a critical Chrome vulnerability that Google confirmed is being actively exploited by attackers. The zero-day flaw affects Chrome's Blink rendering engine and allows hackers to execute malicious code just by tricking users into visiting a compromised website.

Google rushed out an emergency patch within two days after researcher Shaheen Fazim reported the bug on February 11, 2026. The vulnerability stems from a use-after-free error in Chrome's CSS font handling that can crash the browser and potentially lead to full system compromise when combined with other exploits.

The U.S. CISA has added this flaw to its known exploited vulnerabilities list. Chrome users need to update immediately to version 145.0.7632.75 or later.

Source: Cybersecurity News

Spanish police arrested a 20-year-old man who allegedly hacked a hotel booking website to reserve luxury rooms for just one cent instead of up to €1,000 per night. The suspect was caught at a Madrid hotel where he'd racked up over €20,000 in charges across multiple stays.

Police say he manipulated the payment validation system through a cyber attack, making it authorize transactions for €0.01 while appearing legitimate. The scam was discovered when the actual penny payments were transferred to hotels. Investigators tracked him down in just four days after a booking site reported suspicious activity. He was staying in a €4,000-per-night Madrid suite when arrested.

Source: BBC

Blockchain lender Figure Technology Solutions suffered a massive data breach affecting nearly 967,000 users after an employee fell for a social engineering attack. The ShinyHunters hacker group claims responsibility, posting over 2.4GB of stolen files on their dark web site.

The compromised data includes names, birth dates, email addresses, home addresses, and phone numbers of Figure customers. The Nasdaq-listed fintech company specializes in blockchain-based home equity loans and mortgages.

ShinyHunters says Figure was targeted as part of a broader Okta campaign using voice phishing to compromise single sign-on accounts. Other victims include Betterment, Crunchbase, and Panera Bread.

Source: Security Week

Cybercriminals are increasingly targeting industrial organizations, with 119 ransomware groups tracked in 2025 compared to 80 in 2024, according to Dragos researchers. Over 3,300 industrial organizations worldwide were hit by ransomware attacks, nearly double the 1,693 affected in 2024.

Manufacturing led as the most targeted sector, followed by transportation, oil and gas, electricity, and communications. Attackers primarily exploited remote-access portals like VPNs using stolen credentials obtained through phishing, malware, or dark web purchases.

The average "dwell time" before ransomware deployment was 42 days, allowing criminals to move quietly between IT and operational technology systems. One group used compromised VPN access to target SCADA virtual machines, causing operational delays despite not directly touching industrial equipment.

Dragos CEO Robert M. Lee warns that without comprehensive monitoring, future technologies like AI and distributed energy will create even greater security blind spots.

Source: Infosecurity Magazine