top of page

Last week in cybersecurity: 15 extremely Hot global events

This last week in cybersecurity brief brings a shocking overview of 15 major international events. Most notably, the era of 100% automated AI ransomware dubbed JADEPUFFER, the catastrophic data leak from 73,000 Fortinet devices, and a series of critical RCE vulnerabilities actively exploited across Microsoft SharePoint, Oracle, and Linux systems.

How is Artificial Intelligence (AI) reshaping cyberattacks and extortion?

AI is no longer just a support tool; it has directly become the "author" and "agent" executing data encryption campaigns. Vulnerabilities on AI platforms themselves are also top targets for hackers.

1. AI JADEPUFFER automates Ransomware from A to Z

Sysdig discovered the first ransomware campaign executed entirely by an autonomous AI agent. By exploiting the Langflow RCE vulnerability, this AI model scanned servers, stole API keys, took over Nacos databases, and encrypted all 1,342 configurations without any human intervention.

A comment in the ransomware's own code claims that it copied the data elsewhere.
A comment in the ransomware's own code claims that it copied the data elsewhere.

2. InfernoGrabber v9.0 malware created by DeepSeek

Generated with the assistance of the DeepSeek AI model, this malware disguises itself as an AI Discord image enhancement tool. It abuses the File System Access API to encrypt victims' data directly within the browser (like Chrome, Edge) without needing to install executable files.

3. Zero-Click vulnerability on Cursor IDE (DuneSlide)

Two maximum-severity flaws (CVSS 9.8) on the Cursor IDE programming platform allow hackers to escape the sandbox via Prompt Injection. A simple prompt command is enough to completely compromise the system.

4. Anthropic redeploys Claude Mythos 5

Following a suspension by the US government, the most powerful cybersecurity AI model, Claude Mythos 5, has been cleared to return for critical infrastructure organizations. This model previously caused a stir by achieving a 72% success rate in generating working exploits on its first attempt.

II. Which Zero-day and RCE vulnerabilities are being exploited the most fiercely?

The past week recorded a series of dangerous vulnerabilities on popular enterprise platforms being actively exploited in the wild. Cybercriminals are taking advantage of the "patch gap" to infiltrate systems.

5. Urgent warning for RCE vulnerability on Microsoft SharePoint

CISA issued an alert regarding CVE-2026-45659 on Microsoft SharePoint being actively exploited. This flaw allows low-privileged attackers to execute code remotely, threatening over 10,000 exposed servers on the internet.

6. Oracle EBS Payments vulnerability (CVE-2026-46817) under attack

Threat intelligence company Defused confirmed exploitation attempts targeting an extremely critical vulnerability in the Oracle Payments module within the Oracle E-Business Suite (EBS) ecosystem.

7. Authentication bypass on SimpleHelp RMM (CVE-2026-48558)

A vulnerability in the SimpleHelp remote management software is being abused to drop the cross-platform Djinn Stealer malware (Windows, macOS, Linux). This malware specializes in stealing login credentials from cloud platforms, browsers, and crypto wallets.

8. Anubis gang abuses Citrix Bleed 2

The Anubis ransomware group is actively exploiting CVE-2025-5777 (Citrix Bleed 2) on NetScaler ADC to gain initial access, then using legitimate remote monitoring and management (RMM) tools to maintain stealthy control.

VECT and TeamPCP's ransomware attack partnership.
VECT and TeamPCP's ransomware attack partnership.

9. "Bad Epoll" vulnerability grants Root access on Linux and Android

A zero-day flaw (Race condition & Use-after-free) in the Linux kernel allows unprivileged users to escalate to Root privileges with a 99% reliability. The only current mitigation is to apply the upstream kernel patch immediately.

III. What malware campaigns and data leak crises are threatening enterprises?

The combination of malware, massive proxy networks, and token theft is making attacks more unpredictable and harder to detect.

10. FortiBleed disaster threatens 73,000 Fortinet devices

This massive espionage campaign stole configurations and credentials from tens of thousands of compromised FortiGate firewalls. More frighteningly, SOCRadar confirmed that the FortiBleed infrastructure is directly linked to the notorious INC and Lynx ransomware gangs.

11. Takedown of NetNut/Popa's 2-million device network

Google, in coordination with the FBI, delivered a heavy blow to the NetNut proxy network, freeing over 2 million home electronic devices (like smart TVs and streaming boxes) from being used as anonymous traffic relays for attackers.

12. ToddyCat APT group uses Umbrij malware to steal Gmail

Cybercriminals used Umbrij malware to abuse the OAuth protocol, hijacking authentication tokens to secretly read Gmail messages via the Google API without needing the victim's password.

IV. What are the notable security updates and new features?

Alongside the risks, the tech world also welcomed new tools and security patches to bolster defenses.

13. Opera launches Paste Protect to prevent ClickFix

The Opera browser recently introduced a mechanism to automatically block malicious commands copied to the clipboard to prevent ClickFix social engineering tactics.

14. WhatsApp tests Username feature

The 3-billion-user messaging platform WhatsApp officially initiated a "username" feature to hide phone numbers, accompanied by a 4-digit "username key" to completely block unsolicited messages from strangers.

15. Kali Linux 2026.2 optimizes performance

The preferred operating system for security professionals just released a new version that cuts virtual machine (VM) QEMU boot time by 3 times, while adding 9 powerful new tools.

IPSIP Expert Perspective

Looking at the global picture of last week in cybersecurity, we are witnessing the rise of "automated attack machines" like JADEPUFFER, as well as compound risks from core network vulnerabilities such as Microsoft SharePoint and Fortinet. This proves that enterprise security systems no longer have time for "delayed reactions".

To counter the risks of credential theft (FortiBleed) or widespread vulnerability exploitation (Citrix Bleed 2, SharePoint RCE), organizations need to establish a continuous monitoring architecture. The first and most practical step is to conduct periodic Vulnerability Assessment to scan, detect, and patch loopholes early across devices and applications before hackers exploit them.

However, against stealthy and sophisticated threats spawned by AI, static defense systems are insufficient. Enterprises must equip a Security Operations Center (SOC) operating 24/7. Operating a SOC helps monitor all anomalous traffic in the network environment, react automatically in real-time to isolate malware intrusions or unauthorized access early, and protect the integrity of core digital assets against the unpredictable attack waves of the new decade.

--------------

References:

Comments


follow ipsip vietnam.png
40051abd5a76713af8f015988fc6780e-blue-phone-icon-with-a-wave-on-it.webp
whatsapp-mobile-software-icon-png-image_6315991.png
pngtree-minimal-calendar-icon-vector-png-image_21233134.png
IPSIP logo transparent.png

IPSIP VIETNAM ONE MEMBER LIMITED LIABILITY COMPANY (IPSIP VIETNAM OMLLC)

Tax code: 0313859600

🏢 SH05.01, B4 Street, Saritown Area, An Khanh Ward, Ho Chi Minh City, Vietnam

​☎  +84 918 397 489

  • Linkedin
  • Facebook
  • TikTok
  • Email liên hệ
png-clipart-iso-iec-27001-information-security-management-iso-iec-27002-international-orga
soc 2 type ii

Our Services

Sign up to receive in-depth cybersecurity documents and news from IPSIP Vietnam.

bottom of page