Have I Been Pwned has added US insurance provider Kemper to its breach corpus with 269,299 unique email addresses. Kemper offers auto, home, life, and health insurance across the United States. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected customers should anticipate insurance-themed phishing - claim-status updates, policy-renewal prompts, or premium-refund lures. The addition continues a steady run of US financial-services and insurance breaches surfacing in HIBP through late May.
Mandiant has disclosed that attackers exploited a zero-day in the KnowledgeDeliver learning management system (CVE-2026-5426) to deploy the Godzilla in-memory web shell and a custom-encrypted Cobalt Strike beacon. The flaw is a deserialization issue tied to identical pre-shared ASP.NET machine keys distributed in the vendor's default web.config across all customer deployments installed before February 24, 2026. With the shared machineKey, an attacker forges signed ViewState payloads and achieves unauthenticated RCE at the OS level. The threat actor escalated control to modify the platform's JavaScript files, prompting users to install a fake 'security authentication plugin' that delivered the Cobalt Strike payload.
US broadband giant Charter Communications has confirmed a data breach after the ShinyHunters extortion group listed it on its Tor leak site claiming 40 million stolen consumer and business records. ShinyHunters told BleepingComputer the intrusion began April 1 via a vishing attack that compromised an employee's Microsoft Entra account, used to export records from the company's Salesforce instance. Stolen data reportedly includes names, email addresses, addresses, phone numbers, plan information, and some CPNI (Customer Proprietary Network Information). Charter publicly denies CPNI was taken. ShinyHunters' SaaS-extortion playbook continues: Salesforce + Entra/Okta SSO + BPO vishing is the same model used against Instructure and others.
Microsoft has rolled out a preview of automatic device isolation in Microsoft Defender for Endpoint as part of its automatic attack disruption feature. When Defender detects a compromised endpoint, it now disconnects the device from the network without operator action, while preserving the Defender management channel so the host can still be monitored, investigated, and released. Security teams can release a device from containment after triage via 'Release from isolation' on the Device inventory or device page. The feature works only on onboarded end-user workstations. It joins earlier preview controls for blocking traffic to unmanaged endpoints and isolating compromised user accounts.
CISA has given US federal civilian agencies a midnight Wednesday May 27 deadline to patch CVE-2026-9082, the highly critical Drupal SQL injection added to its Known Exploited Vulnerabilities catalog on Friday. Imperva says it has now observed 15,000+ attack attempts targeting nearly 6,000 individual Drupal sites across 65 countries since disclosure, with gaming and financial services taking almost half. Shadowserver tracks ~670 unpatched Drupal instances still exposed online (272 in North America, 273 in Europe). CISA's directive is mandatory only for FCEB agencies under BOD 22-01, but the agency strongly urges all organizations to patch immediately.
Microsoft has released an out-of-band patch for CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint Server. The flaw is a deserialization issue and was reported privately by a researcher named MEOW; Microsoft says it is not currently aware of active exploitation but rates it 'less likely to be exploited.' Updates are available for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Last month's CVE-2026-32201 spoofing flaw was actively exploited and machine-key-theft attacks against SharePoint were widespread in 2025, so admins should treat this patch as priority despite the lower-likelihood rating.
Symantec and Carbon Black, working with Huntress, have documented Operation Olalampo, a new MuddyWater (also tracked as Seedworm) espionage campaign that has hit at least nine countries. The Iran-linked actor uses DLL sideloading by abusing two trusted binaries - sentinelmemoryscanner.exe sideloads sentinelagentcore.dll - to deploy the open-source ChromElevator tool, which steals passwords, cookies, and payment-card data from Chromium browsers while bypassing App-Bound Encryption. The campaign also uses Node.js-based implants that drop PowerShell scripts for reconnaissance, SAM-hive theft, screenshot capture, and SOCKS5 reverse-proxy tunneling. Stolen data has been staged on the public file-transfer service sendit[.]sh.
India's national CERT has published a risk-tiered patch SLA blueprint in response to AI-assisted attack acceleration. Internet-facing systems with KEV-listed vulnerabilities must be remediated within 12 hours; critical externally exposed flaws within 1 day; internal-system KEV within 1 day unless documented compensating controls exist; critical internal flaws on high-value systems within 3 days; high-severity issues within 5 days. CERT-In urges defenders to assume breach, adopt Zero Trust and defense-in-depth, embed secure-by-design into AI workflows, validate via red teaming, and treat AI-system visibility as a first-class governance concern. Mitigations (isolation, WAF, monitoring) are expected when no patch is available.
Check Point has documented Iranian APT Nimbus Manticore (also tracked as UNC1549) accelerating its operations during US Operation Epic Fury rather than going quiet. The campaign hits aviation, software, and defense organizations in the US, Europe, and the Middle East via three waves: career-themed phishing using AppDomain hijacking to deploy MiniJunk (February), a trojanized Zoom installer that hijacks legitimate scheduled tasks to deliver the new MiniFast backdoor (March), and the group's first SEO poisoning campaign distributing a weaponized Oracle SQL Developer installer via getsqldeveloper[.]com (April). MiniFast shows signs of AI-assisted development: defensive coding patterns, verbose error strings, and modular structure.
Lithuanian authorities are investigating the theft of around 600,000 records from the country's Centre of Registers, which holds state registry data. The breach was detected in early April and disclosed publicly only after weeks of internal investigation. Centre of Registers chief Adrijus Jusas resigned Monday, citing years of underinvestment that would need ~€60 million to address. The leader of Lithuania's conservative opposition alleges 'hallmarks of a Russian intelligence operation' and warns the data (including residential addresses linked to sensitive government personnel) could enable surveillance, phishing, and sabotage planning. Lithuanian prosecutors have neither confirmed nor denied Russian involvement.