Connect with us

Security

Cloud Bucket Hijacking, Windows LPE Chain, and Global Fraud Bust: A Roundup of 20 Cybersecurity Threats

Published

on

Most security mess starts as admin work. A link gets clicked. A tool gets trusted. A bucket name gets reused. A setting stays loose because nobody wants to touch it.

This week is full of that kind of damage. Not loud. Not clever. Just small gaps doing big jobs. The worst part is how normal it all looks until the bill arrives.

The full ThreatsDay list is below.

  1. Global fraud bust

    A global anti-fraud operation involving 97 countries and territories has resulted in the arrest of 5,811 individuals and the interception of $293 million in illicit assets as part of an operation codenamed First Light 2026 that took place between January 15 and April 30, 2026, to tackle social engineering scams and associated money laundering activities. “Over 142,000 victims globally were identified during Operation First Light 2026, highlighting the extent to which social engineering scams and fraud have escalated into a major transnational threat, affecting individuals, businesses, and governments,” INTERPOL said. More than 23,000 cases were solved, and 15,606 suspects have been identified. In Eswatini, authorities arrested 82 people and dismantled a criminal network running illegal online gambling, money laundering, and elaborate impersonation scams. The Thai police made two arrests and uncovered a money laundering scheme that converted illicit funds from romance scams into various cryptocurrencies, using cross-chain token swaps to obscure the financial trail.

  2. Payment SDK typosquats

    A cluster of 17 malicious npm and PyPI packages have been found to typosquat Paysafe, Skrill, and Neteller SDKs to steal system information and developer secrets, and exfiltrate them to an Ngrok endpoint. The malware skips machines that have less than two CPU cores, and the hostname or username contains sandbox, analyzer, cuckoo, virus, malware, vmware, or vbox. “The threat actor targeted payment app SDKs, which might indicate a financial motive or the desire to monetize using payment app accounts,” Socket said. “The threat actor used their obfuscator ‘properly.’ They did not re-use the same obfuscation key across versions or packages, which is intended to prevent signatures from tracking this malware by the same key. This resulted in different hashes for each file.”

  3. Stealthy code injection

    Cybersecurity researchers have outlined a technique called Process Parameter Poisoning (P³) that can be used to code in foreign processes without raising any security alarms. “P³-Shellcode Loader is a loader that implements a code injection technique which leverages the Process Parameters structure (Process Parameter Poisoning) as an execution and staging location for shellcode injection into remote processes, without triggering common detection mechanisms,” researchers Max Hirschberger and Ogulcan Ugur said. “One major advantage of this technique is that no processes are created in a suspended state and no threads or processes are suspended during its execution.”

  4. Unauthenticated file access

    A critical security flaw in Esri ArcGIS Server 12.0 and prior (CVE-2026-9181, CVSS score: 9.8/7.5) could be exploited to access sensitive files on the system without requiring valid credentials by sending crafted path parameters. “The vulnerability exists in the ArcGIS Server REST Uploads resource, where insufficient validation of crafted path parameters allows an unauthenticated remote attacker to traverse outside the intended directory boundary,” Horizon3.ai said.

  5. Ransomware tooling overlap

    A new analysis of the Interlock (aka Hive0163) ransomware operation has identified links with TAG-124 (aka KongTuke and Landupdate808). The threat actor is known to employ a variety of mostly custom malware, including NodeSnake, Interlock RAT, JunkFiction downloader (aka Dormouse), Supper (aka SocksShell and WINDYTWIST), and JunkFiction cryptor. IBM X-Force said it has discovered strong overlaps between NodeSnake, ModeloRAT, JunkFiction downloader, Interlock RAT, and Supper malware variants, indicating a shared original codebase or possibly common developers. Rhysida, on the other hand, often uses Endico downloader, Broomstick (aka Oyster or CleanUpLoader), Supper, and Tomb cryptor (aka Textshell or pkr_mtsi). Evidence indicates a relationship with IceNova (aka Latrodectus) operators and ITG23 (aka TrickBot). Early versions of JunkFiction date back to May 2024, with the downloader being used to Supper, which then delivers CrossTec Remote Control, a legitimate remote administration tool. “The fact that both ModeloRAT and NodeSnake were deployed by TAG-124/KongTuke, possessed overlaps with other malware families belonging to the Interlock toolkit and used the same exploit during their operations, supports the theory that these activities may be linked,” IBM X-Force said.

  6. Claude data warning

    China’s National Vulnerability Database (CNVDB) is urging developers to uninstall recent Claude Code versions over concerns that they can gather sensitive user data without consent. The “backdoor code” can collect details such as a user’s location and identity, and forward them to remote servers. The agency said the alert only applies to Claude Code versions 2.1.91 (April 2) to 2.1.196 (June 29). “It is recommended that relevant units and users immediately conduct a comprehensive investigation,” CNVDB said. “For development terminals with the above-mentioned affected versions installed, immediately uninstall or upgrade to the latest secure version with the relevant backdoor code removed; strengthen the control of external access permissions and traffic monitoring of development tools within core business network segments to prevent the unauthorized transmission of sensitive data.” The disclosure comes shortly after a report that Claude contained covert code designed to prevent Chinese AI companies from extracting details about its inner workings.

Anthropic later clarified that the experiment was conducted to protect against model distillation. “The encryptor is a newly developed ransomware written in Go, prioritizing recently modified files for encryption and using the ChaCha20-Poly1305 encryption algorithm with integrity checks. It does not leave a ransom note on the disk. The threat actor ROOTBOY is advertising this ransomware on underground forums, known for engaging in data sale and extortion activities between July and November 2025. This development coincides with the use of the Bumblebee malware loader, distributed through SEO poisoning via a trojanized installer for ManageEngine OpManager, to drop AdaptixC2, which then facilitates the deployment of the Akira ransomware.

Another concerning threat is the GhostChrome-X malware, which targets Google Chrome to establish persistent access to compromised hosts. It modifies Chrome’s extension trust model to add malicious extensions and enables operating system-level command execution. The malware collects browser data, communicates with an external server, and supports remote command execution.

A phishing and malware campaign is using Indian Income Tax Return refund notifications to deliver a multi-stage AutoIt infection chain that leads to the deployment of AsyncRAT. Recent samples have shifted to using the LX RAT, a commercially available remote access trojan. The campaign combines various techniques such as sandbox-aware execution, persistence mechanisms, and encrypted communication to maintain control over compromised hosts.

In another campaign targeting India, a variant of the Remcos RAT malware family is delivered through GST-themed ZIP archive lures. This infection chain relies on in-memory execution techniques to evade detection by traditional security tools.

A Microsoft Teams-themed phishing campaign is distributing a legitimate remote access tool configured for unauthorized access. Victims are directed to convincing landing pages that prompt them to download software under the guise of meeting transcript viewers or document-related applications.

A security risk has been identified in ADFS certificates, where configuration drift can expose active signing keys, potentially allowing bad actors to forge high-privilege SAML tokens. AWS emphasizes the need for layered egress security controls to prevent data exfiltration, especially in environments where AI systems may be manipulated for malicious purposes.

Palo Alto Networks Unit 42 has identified a bucket hijacking technique that allows attackers to reroute data from an organization’s active data streams into an external storage bucket, posing a significant risk to cloud service providers.”

Understanding the Global Namespace Risk in Cloud Security

In the realm of cloud security, the issue of global namespace risk poses a significant threat. This risk stems from the fact that a storage bucket name must be globally unique. An attacker can exploit this by deleting a bucket and then recreating it under their own account using the same name. This action allows the attacker to hijack the bucket, redirecting critical logs and sensitive data to their environment.

A similar attack method known as Bucket Monopoly was identified by Aqua Security in 2024. While there have been no reported instances of this technique being used maliciously, the potential for abuse remains a concern.

Unit 42, a prominent cybersecurity research team, has issued warnings regarding various vulnerabilities in recent weeks. These include:

  1. Insecure default configurations and overly permissive enrollment rights in Active Directory Certificate Services (AD CS) that can lead to privilege escalation and unauthorized identity impersonation.
  2. Abuse of Kubernetes identities in conjunction with exposed attack surfaces to escalate privileges within cloud infrastructure.
  3. The exploitation of multi-agent AI systems through prompt injection, highlighting the risks of communication breakdown and lack of proper scoping.
  4. Bypassing sandbox network isolation in Amazon Bedrock AgentCore’s Code Interpreter mode, potentially enabling unauthorized data transfer via DNS tunneling.
  5. The creation of overly broad IAM roles in AgentCore starter toolkit, resulting in an “Agent God Mode” that facilitates privilege escalation across AWS accounts.

Amidst these complex threats, a crucial lesson emerges: vigilance is key. Rather than focusing solely on detecting unusual behavior, organizations must pay close attention to subtle signs of compromise. Look out for discrepancies in names, requests for excessive permissions, outdated security measures, and unexpected data traffic. Prevention lies in scrutinizing the mundane, as many security breaches exploit overlooked vulnerabilities rather than sophisticated tactics.

See also  Hacked Honors: Uncovering the Digital Dirt - The Cyber Chronicle

Trending