Executive Summary
- Critical cPanel vulnerability (CVE-2026-41940) is being actively exploited in “Sorry” ransomware attacks with CISA ordering federal agency patches by Sunday
- Russian military-linked hackers harvesting Microsoft Office authentication tokens via compromised routers at scale
- 30,000 Facebook accounts compromised through Google AppSheet phishing relay; Vietnamese-linked operation selling stolen credentials
- Trellix source code repository breached; supply chain risk for customers relying on potentially compromised code
- North Korea now controls 76% of all cryptocurrency stolen in 2026, indicating successful large-scale crypto theft operations
Top Threats Today
1. Critical cPanel Remote Code Execution – Mass Exploitation Underway
Severity: Critical Affected: Technology, Hosting
CVE-2026-41940 in cPanel is being mass-exploited to deliver “Sorry” ransomware. Successful exploitation grants attackers complete control over cPanel host systems, configurations, databases, and all managed websites. CISA has mandated that all federal agencies patch by Sunday, indicating emergency-level severity. This vulnerability affects millions of websites globally.
Recommended Action
- Immediately patch all cPanel installations to the latest security release
- Scan all websites hosted on cPanel for signs of compromise or unauthorized access
- Monitor file integrity and database changes for indicators of ransomware deployment
- Enable backup verification and test recovery procedures
2. Russian Military Intelligence Harvesting Microsoft Office Tokens via Router Exploitation
Severity: Critical Affected: Government, Finance, Technology
APT actors linked to Russia’s military intelligence (GRU) are exploiting known vulnerabilities in older internet routers to conduct large-scale harvesting of Microsoft Office authentication tokens. This campaign enables attackers to bypass multi-factor authentication and gain persistent access to enterprise cloud environments at scale, representing a severe threat to organizations with legacy network infrastructure.
Recommended Action
- Audit and replace or patch all end-of-life and legacy routers in your network
- Implement network segmentation to isolate router management from sensitive systems
- Monitor Microsoft Office sign-in logs for suspicious token usage and geographic anomalies
- Enforce device compliance policies for all cloud access attempts
- Review and revoke any suspicious authentication tokens dating back 90 days
3. Facebook Account Compromise via Google AppSheet Phishing Relay – 30,000 Accounts Affected
Severity: High Affected: Technology
A Vietnamese-linked cybercriminal operation (tracked as “AccountDumpling”) has compromised approximately 30,000 Facebook accounts by abusing Google AppSheet as a phishing relay. The stolen credentials are being sold on underground markets. This attack demonstrates adversaries’ ability to abuse legitimate cloud services for phishing infrastructure while evading detection.
Recommended Action
- If affected, reset Facebook password immediately and review login activity for unauthorized access
- Enable two-factor authentication on all Facebook accounts
- Check for unauthorized applications connected to your Facebook account
- Monitor financial and social accounts linked to Facebook for suspicious activity
4. Trellix Source Code Repository Breach – Supply Chain Risk
Severity: High Affected: Technology, Defense
Trellix has disclosed unauthorized access to a portion of its source code repository. The breach creates supply chain risk for customers relying on Trellix products, as attackers could identify zero-day vulnerabilities or backdoor opportunities. Forensic investigation is ongoing with external experts.
Recommended Action
- Review Trellix product versions in your environment and register for security updates
- Monitor for official vulnerability disclosures related to this source code exposure
- Increase monitoring for suspicious behavior from Trellix-managed products
- Contact Trellix directly for impact assessment specific to your deployment
5. ConsentFix v3 – Automated Azure OAuth Abuse Attack
Severity: High Affected: Technology, Finance
A new attack variant dubbed “ConsentFix v3” is circulating in hacker forums, automating OAuth abuse against Microsoft Azure environments. This technique reduces attacker operational overhead and increases the scale of potential compromise. Organizations using Azure OAuth flows are at elevated risk.
Recommended Action
- Review all OAuth application permissions and consent grants in your Azure tenant
- Revoke permissions for unused or suspicious applications immediately
- Implement conditional access policies to restrict token issuance based on risk signals
- Enable Azure AD sign-in risk detection and respond to suspicious OAuth consent attempts
Today’s Action Checklist
- ☐ URGENT: Patch all cPanel installations immediately to address CVE-2026-41940 exploitation
- ☐ URGENT: Audit router configurations and replace legacy/end-of-life devices vulnerable to APT token harvesting
- ☐ URGENT: Revoke suspicious Microsoft Office authentication tokens and review 90-day sign-in logs for GRU-linked activity
- ☐ HIGH: Reset Facebook passwords for any employees using personal accounts for business purposes
- ☐ HIGH: Review and revoke unnecessary OAuth consent grants in Azure AD
- ☐ HIGH: Register with Trellix security notifications for source code breach impact assessment
- ☐ Enable or strengthen two-factor authentication across all cloud services
- ☐ Schedule incident response tabletop focused on ransomware deployment and recovery