RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: msp (2 articles)Clear
threat
CVE-2026-41940
2026-05-04

cPanel ransomware attackers are now hunting government agencies and the IT companies that manage them

Update on the cPanel ransomware wave covered May 3: attackers have shifted focus and are now targeting governments and managed service providers exploiting CVE-2026-41940. Security Affairs reports the operation is no longer just opportunistic mass-encryption of small business websites - the actors are deliberately looking for hosting accounts owned by government agencies and IT firms that manage downstream customers. CISA added the cPanel flaw to its KEV catalog Friday with a federal patch deadline of May 21. With 44,000 cPanel hosts already compromised in the initial wave, the secondary phase targeting MSPs has the potential to multiply impact through customer-tenant relationships - much like the 2023 Kaseya VSA campaign.

cpanelsorry-ransomwaregovernment-targetingmspfollow-upcisa-kevfederal-deadlinekaseya-comparisonsupply-chain-amplification
Check
Audit /var/cpanel/sessions/raw/ for entries created since February 23, 2026. Search for files with the .sorry extension across hosted sites. Check authentication logs for unusual successful logins between February 23 and April 28.
Affected
Government agencies, MSPs, and hosting companies running unpatched cPanel infrastructure. Particularly acute: MSPs whose cPanel instances host downstream customer accounts - a single compromise spreads to many tenants. Federal agencies under BOD 22-01 must patch by May 21. State and local governments without that mandate face the same active threat without the same enforcement.
Fix
Patch cPanel to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5. Restore from backups predating February 23 rather than just resuming operations. Rotate root, admin, and customer credentials. For MSPs: notify customers proactively before they discover compromise from a ransom note.
threat
2026-05-03

China-linked spies breached the IBM subsidiary that runs IT for Italian government agencies and critical industries

La Repubblica reported a significant breach at Sistemi Informativi, a wholly-owned IBM Italy subsidiary that manages IT infrastructure for Italian public agencies and key industries. Multiple intelligence sources attribute the attack to Salt Typhoon, the China-linked espionage group that has hit US telecoms (AT&T, Verizon, Viasat), Canadian telecom firms, the US Army National Guard, Dutch government networks, and now Italian critical infrastructure. Salt Typhoon's hallmark is patience - prolonged data exfiltration, silent network observation, and infrastructure compromise rather than fast theft. The group has been active since at least 2019 and has reportedly hit 200+ companies across 80 countries.

salt-typhoonsistemi-informativiibm-italychina-aptcritical-infrastructurela-repubblicasupply-chainmspeuropean-targetingdemodex
Check
If your organization uses managed IT services for critical infrastructure (utilities, transport, healthcare, government), audit your provider's separation between corporate IT and customer environments this week.
Affected
Italian government agencies and key industries using Sistemi Informativi for IT infrastructure. More broadly: any organization where a single integrator holds access to multiple government databases - the breach pattern lets Salt Typhoon map critical infrastructure across many victims through one compromise. European telecoms and managed service providers are at acute risk.
Fix
Demand from any managed IT provider written attestation that customer environments are network-segregated from their corporate IT. Hunt for Salt Typhoon indicators: unauthorized configuration changes on edge devices, traffic to known Demodex C2 infrastructure, and anomalous data flows to Asian hosting providers. Treat the Italian breach as a reason to escalate vendor security reviews this quarter.