Log in
In June 2026, retailer JCPenney and associated brands were targeted in a ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from JCPenney through the exploitation of a critical zero-day vulnerability in Oracle PeopleSoft was later published publicly. The exposed records indicated they primarily related to internal HR systems and impacted current and former employees. The data included 368k corporate and personal email addresses, names, dates of birth, Social Security numbers, phone numbers and home addresses.
A previously undocumented malware botnet named AryStinger has compromised more than 4,000 outdated routers to turn them into proxies for malicious traffic. [...]
Apple has long marketed itself as the privacy-first tech giant. So why is it making a change to Hide My Email that will make it easier for websites to block anonymous sign-ups - and harder for you to stay private online?
Read more in my article on the Hot for Security blog.
The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor that exposed personal information for more than three million individuals. [...]
Palo Alto Networks Unit 42 has confirmed active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software.
The flaw allows remote unauthenticated attackers to forge authentication override cookies and establish unauthorized VPN connections without ever providing valid credentials.
The vulnerability was originally assigned a CVSSv4 score of 4.7 (medium), but following confirmed in-the-wild exploitation, Palo Alto Networks revised the score to 7.8 (high) on May 29, 2026, the same day CISA added it to the Known Exploited Vulnerabilities (KEV) catalog.
GlobalProtect VPN Vulnerability Exploited
The root cause lies in PAN-OS’s authentication override feature, which issues encrypted cookies to authenticated GlobalProtect users for seamless re-authentication, functioning similarly to a bearer token.
When the certificate used to encrypt and decrypt these cookies is the same certificate serving the GlobalProtect HTTPS portal or gateway, an attacker can retrieve the public key directly from the TLS handshake and forge a valid authentication cookie without ever authenticating.
Rapid7 Labs confirmed this through a working proof-of-concept (PoC), published on GitHub as forge_cookie.py, which iterates over certificates in the HTTPS chain, forges authentication cookies using each public key, and tests them against the target gateway.
Internally, the main_DecryptAppAuthCookie function in PAN-OS decrypts the incoming cookie but performs no signature verification whatsoever, meaning any correctly encrypted cookie is implicitly trusted and accepted by the appliance.
Rapid7 MDR first observed exploitation on May 17, 2026, with a second wave emerging on May 21, 2026. Both waves involved cookie-based authentication to local admin accounts originating from low-cost hosting providers Vultr and Dromatics Systems.
The consistent spoofed MAC address aa:bb:cc:dd:ee:ff across both waves strongly suggests a single unidentified threat actor behind the campaign.
Unit 42 researchers identified that only a fraction of probed devices established full VPN tunnels roughly 2 out of 10 impacted MDR customers saw complete session establishment, confirmed via POST requests to /ssl-vpn/hipreport.esp and /ssl-vpn/getconfig.esp.
Crucially, no lateral movement has been observed to date, though Palo Alto Networks and continue monitoring for post-access behavior.
The vulnerability impacts several PAN-OS branches, including versions prior to 12.1.4-h6, 11.2.4-h17, 11.1.4-h33, and 10.2.7-h34, as well as Prisma Access versions below 11.2.7-h13 and 10.2.10-h36.
Exploitation is only possible when the authentication override feature is enabled and the override certificate is shared with the HTTPS service a misconfiguration that violates Palo Alto’s own hardening guidance.
Organizations should immediately patch to the vendor-fixed PAN-OS version as outlined in the official security advisory.
As an interim mitigation, administrators should either disable the authentication override feature entirely or generate a dedicated certificate used exclusively for cookie encryption, separate from the HTTPS service certificate.
Indicators of the Activity
| Indicator | Type | Description |
|---|---|---|
| 23.128.228[.]6 | IP Address | Threat actor source IP (pre-PoC) |
| 104.207.144[.]154 | IP Address | Threat actor source IP (pre-PoC); Vultr hosting |
| 146.19.216[.]119 | IP Address | Threat actor source IP (pre-PoC) |
| 146.19.216[.]120 | IP Address | Threat actor source IP (pre-PoC) |
| 146.19.216[.]125 | IP Address | Threat actor source IP (pre-PoC); Dromatics Systems |
| 179.43.172[.]213 | IP Address | Threat actor source IP (pre-PoC) |
| 185.195.232[.]139 | IP Address | Threat actor source IP (pre-PoC) |
| 198.12.106[.]60 | IP Address | Threat actor source IP (pre-PoC) |
| 202.144.192[.]47 | IP Address | Threat actor source IP (pre-PoC) |
| 209.99.191[.]137 | IP Address | Threat actor source IP (Rapid7) |
| 79.130.26[.]202 | IP Address | Threat actor source IP (Rapid7) |
| aa:bb:cc:dd:ee:ff | MAC Address | Spoofed MAC address; observed in both exploitation waves |
| 00:11:22:33:44:55 | MAC Address | Spoofed MAC address |
| WINDOWS-LAPTOP-001 | Hostname | Suspicious host ID in GlobalProtect logs |
| DESKTOP-GP01 | Hostname | Observed in logs alongside Windows authentications from May 21, 2026 |
| GP-CLIENT | Hostname | Observed in logs alongside Linux authentications from May 17, 2026 |
| Jocker | Hostname | Observed alongside IP 79.130.26[.]202 |
| Microsoft Windows 10 Pro 64-bit | OS String | Hard-coded PoC client OS value in post-PoC exploitation |
| (empty) | Domain Field | Hard-coded empty domain value in PoC client configuration |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Palo Alto Warns of Actively Exploited GlobalProtect VPN Vulnerability appeared first on Cyber Security News.
The popular K-12 student information system Infinite Campus has disclosed a data breach affecting approximately 137,000 users after the notorious threat actor group ShinyHunters executed a “pay or leak” extortion campaign against the platform in March 2026.
ShinyHunters, a well-known cybercriminal group responsible for numerous high-profile data theft operations, targeted Infinite Campus in what investigators describe as a classic extortion scheme.
The group threatened to publicly release stolen data unless the company met their financial demands. When negotiations presumably failed, ShinyHunters followed through on the threat and published the allegedly stolen dataset online.
Infinite Campus Data Breach Exposed
The leaked data contained 137,000 unique email addresses, along with a range of personally identifiable information (PII), raising immediate concerns about the exposure of sensitive communications between school administrators and the platform’s support teams.
Infinite Campus subsequently issued breach notifications to affected individuals, clarifying the nature of the exposed records.
According to the company, the compromised dataset largely consisted of “names and contact information for school staff,” with the organization noting that “the majority is directory information commonly found on school websites.”
The full scope of exposed data includes email addresses, names, usernames, phone numbers, physical addresses, employer details, job titles, and contents of internal support tickets.
According to Have I Been Pwned reports, Infinite Campus downplayed the sensitivity of some exposed fields; the inclusion of support ticket data is particularly concerning.
Support tickets often contain detailed technical configurations, reported issues, and internal workflow details that threat actors could leverage for follow-on social engineering or targeted phishing campaigns against school district staff.
With over 12 million students and hundreds of thousands of staff members across U.S. school districts relying on the platform, the breach carries significant downstream risk, even if the directly exposed records primarily belong to school personnel.
Exposed staff contact information combined with support ticket data creates a credible attack surface for spear-phishing and business email compromise (BEC) attempts targeting school districts.
The incident follows a broader trend of ransomware and extortion groups increasingly targeting education sector infrastructure, which typically operates with limited cybersecurity resources compared to enterprise environments.
Affected individuals and organizations should immediately reset passwords for Infinite Campus accounts and any accounts that share the same credentials, and enable multi-factor authentication (MFA) on all administrative portals.
Staff should be alerted to heightened phishing risks, particularly emails impersonating Infinite Campus or district IT personnel.
Organizations are also advised to review exposed support ticket histories for sensitive configuration details and to report any suspicious activity to their district’s IT security team without delay.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Infinite Campus Data Breach Exposes Personal Data of 137,000 Users appeared first on Cyber Security News.
Next Page of Stories