Category: corporate risks

Hacked Cameras Killed Khamenei: What That Means for Your Building

Hacked Cameras Killed Khamenei: What That Means for Your Building
~ larshilse ~ Leave a comment

I want to talk about the most consequential and least-discussed cyber security story of 2026 so far, which is that Israel maintained access to what the Financial Times reported as "nearly all" of Tehran's traffic camera network, used what Haaretz cybersecurity reporter Omer Benjakob described as "very cutting-edge data processing or big data fusion techniques … Continue reading Hacked Cameras Killed Khamenei: What That Means for Your Building

Oracle Identity Manager RCE: Unfettered Access, Fully Unwanted

Oracle Identity Manager RCE: Unfettered Access, Fully Unwanted
~ larshilse ~ Leave a comment

I wrote last week about CISA adding Apple iOS zero-days to the Known Exploited Vulnerabilities catalog and noting that the pace of out-of-band emergency patches from major vendors in 2026 is setting some kind of bleak record. Oracle has now decided to contribute to that record. On March 19, they dropped an out-of-band security alert … Continue reading Oracle Identity Manager RCE: Unfettered Access, Fully Unwanted

Trivy Got Trivially Compromised: CanisterWorm Eats Your CI/CD

Trivy Got Trivially Compromised: CanisterWorm Eats Your CI/CD
~ larshilse ~ Leave a comment

R'member that thing I wrote about n8n's workflow automation RCE sitting on 24,700 exposed instances and thinking, okay, that's a bad week for people who build things. Then my feed served up the full picture on TeamPCP's ongoing massacre of Aqua Security's Trivy project and I'm going to need a second coffee. Maybe a third. … Continue reading Trivy Got Trivially Compromised: CanisterWorm Eats Your CI/CD

GPS Spoofing Closed Hormuz: What’s Sinking Your Supply Chain

GPS Spoofing Closed Hormuz: What’s Sinking Your Supply Chain
~ larshilse ~ Leave a comment

Twenty percent of the world's seaborne oil normally transits the Strait of Hormuz every day. As of this morning, commercial traffic through the strait is at approximately five percent of normal volume and has been for weeks. The coverage has been excellent on the kinetic dimension: the missile strikes, the drone attacks, twenty-one confirmed attacks … Continue reading GPS Spoofing Closed Hormuz: What’s Sinking Your Supply Chain

ODNI 2026 Threat Report: Four Nations Are Inside Your Network

ODNI 2026 Threat Report: Four Nations Are Inside Your Network
~ larshilse ~ Leave a comment

The US intelligence community released its 2026 Annual Threat Assessment on March 18, and the coverage has been predictably focused on the Iran war, nuclear escalation scenarios, and what Tulsi Gabbard thinks about Venezuelan organised crime. Fair enough. All of that matters. But buried in the congressional testimony from DNI Gabbard and the four-letter-agency directors … Continue reading ODNI 2026 Threat Report: Four Nations Are Inside Your Network

n8n RCE Hits CISA KEV: 24,700 Automation Instances Still Exposed

n8n RCE Hits CISA KEV: 24,700 Automation Instances Still Exposed
~ larshilse ~ Leave a comment

So after the Apple iOS zero-days landing on CISA's KEV catalog yesterday this shit is the first news of the morning, Haven't even washed my coffee cup (I really rarely do) — when CISA dropped another KEV addition that made me slam my espresso cup down hard enough to slosh the thing. n8n. The workflow … Continue reading n8n RCE Hits CISA KEV: 24,700 Automation Instances Still Exposed

TriZetto Breach Spills 3.4M Patient Records: Fix Healthcare IT Now

TriZetto Breach Spills 3.4M Patient Records: Fix Healthcare IT Now
~ larshilse ~ Leave a comment

I literally just wrapped up the Clop hit on Madison Square Garden through their Oracle EBS vendor — a post I ended by saying the healthcare software supply chain is the highest-risk version of this exact problem — and I am not even kidding, the confirmation landed before I'd closed the tab. Cognizant's TriZetto Provider … Continue reading TriZetto Breach Spills 3.4M Patient Records: Fix Healthcare IT Now

VMware Aria Is on CISA’s Hotlist: Patch the Admin Console Now

VMware Aria Is on CISA’s Hotlist: Patch the Admin Console Now
~ larshilse ~ Leave a comment

I need a minute. I just wrote about Cisco SD-WAN Manager being actively exploited via CVE-2026-20122 — management console, web shells deployed, watchTowr telling everyone their exposed systems should be assumed compromised — and before that coffee went cold, CISA turns around and drops VMware Aria Operations onto the Known Exploited Vulnerabilities catalog. Another management … Continue reading VMware Aria Is on CISA’s Hotlist: Patch the Admin Console Now

Clop Breached MSG via Third-Party Oracle EBS: 131K SSNs Gone

Clop Breached MSG via Third-Party Oracle EBS: 131K SSNs Gone
~ larshilse ~ Leave a comment

I had barely finished my write-up on the Marquis vs. SonicWall disaster — where a firewall vendor's own backup service handed ransomware gangs the keys to a fintech company's network — and I was sitting here telling myself that at least we had a lawsuit, at least someone was trying to hold a vendor accountable, … Continue reading Clop Breached MSG via Third-Party Oracle EBS: 131K SSNs Gone

GTIG Drops the Bomb: 90 Zero-Days and Enterprise in the Crosshairs

GTIG Drops the Bomb: 90 Zero-Days and Enterprise in the Crosshairs
~ larshilse ~ Leave a comment

My coffee wasn't even cold after writing about the Tycoon 2FA PhaaS takedown and what it means for the state of offensive infrastructure, and then Google's Threat Intelligence Group drops the 2025 zero-day review and I nearly choked. Ninety. Ninety zero-days exploited in the wild last year. That's not the number that should make you feel sick, … Continue reading GTIG Drops the Bomb: 90 Zero-Days and Enterprise in the Crosshairs

Tycoon 2FA Is Dead: Europol Kills the MFA-Busting PhaaS King

Tycoon 2FA Is Dead: Europol Kills the MFA-Busting PhaaS King
~ larshilse ~ Leave a comment

I need a minute. Because this is genuinely good news, and I don't get to write those very often, and I want to savour it for approximately thirty seconds before I spend the next fifteen hundred words explaining why it doesn't actually fix the underlying problem and you still need to sort your shit out. … Continue reading Tycoon 2FA Is Dead: Europol Kills the MFA-Busting PhaaS King

LexisNexis AWS Breach: ‘Lexis1234’ Opens the Door to Gov Data

LexisNexis AWS Breach: ‘Lexis1234’ Opens the Door to Gov Data
~ larshilse ~ Leave a comment

I haven't even finished my third coffee this week and I'm already writing about a data breach so stupid it physically hurts. Not "sophisticated nation-state intrusion" stupid. Not "supply chain zero-day" stupid. I mean "the password was literally Lexis1234" stupid. A company trusted by federal judges, DOJ attorneys, and U.S. SEC staff was running a … Continue reading LexisNexis AWS Breach: ‘Lexis1234’ Opens the Door to Gov Data

Marquis vs. SonicWall: When Your Firewall Vendor Hands Over the Keys

Marquis vs. SonicWall: When Your Firewall Vendor Hands Over the Keys
~ larshilse ~ Leave a comment

I've been saying for years that vendor risk is not a checkbox exercise. I've been saying it in blog posts, in conference rooms, in papers, and presumably in my sleep. And then the Marquis vs. SonicWall lawsuit drops and it is the most perfect, catastrophic illustration of exactly that point that I could not have … Continue reading Marquis vs. SonicWall: When Your Firewall Vendor Hands Over the Keys

CVE-2026-21902 Juniper PTX: Unauthenticated Root on Your Core Router

CVE-2026-21902 Juniper PTX: Unauthenticated Root on Your Core Router
~ larshilse ~ Leave a comment

You know what I love about my mornings? Reading about another critical-severity, unauthenticated remote code execution vulnerability in a piece of network core infrastructure that half the Fortune 500 has sitting in the middle of their backbone. My coffee was almost at a drinkable temperature when the Juniper advisory landed. Almost. CVE-2026-21902. CVSS 9.3 to … Continue reading CVE-2026-21902 Juniper PTX: Unauthenticated Root on Your Core Router

RESURGE Is Still on Your Ivanti Gear — Dormant, Waiting, Hiding

RESURGE Is Still on Your Ivanti Gear — Dormant, Waiting, Hiding
~ larshilse ~ Leave a comment

I hadn't even finished my second coffee after writing about China's UNC5221 carpet-bombing organisations globally, and CISA decides to drop an updated malware analysis report that should make every network defender in the room deeply, personally uncomfortable. RESURGE is still out there. On Ivanti Connect Secure devices. Possibly yours. Dormant. Undetected. Sipping a metaphorical coffee … Continue reading RESURGE Is Still on Your Ivanti Gear — Dormant, Waiting, Hiding

Conduent Ransomware Exposes 25 Million Americans: SafePay’s Biggest Payday Yet

Conduent Ransomware Exposes 25 Million Americans: SafePay’s Biggest Payday Yet
~ larshilse ~ Leave a comment

TL;DR SafePay ransomware hit Conduent and exposed 25 million Americans' personal data. Likely the largest breach in US history. Here's the full breakdown and what it means for third-party risk management. Twenty-five million Americans. Let that sit for a second. Twenty-five million people who had their data — Social Security numbers, financial records, personal identifiers … Continue reading Conduent Ransomware Exposes 25 Million Americans: SafePay’s Biggest Payday Yet

React’s Server Components RCE Bullshit: CVE-2025-55182 Exposes How Hype Fucks Over Real Security

React’s Server Components RCE Bullshit: CVE-2025-55182 Exposes How Hype Fucks Over Real Security
~ larshilse ~ Leave a comment

Jesus Christ, React's latest "innovation" just handed remote code execution to every basement hacker with a keyboard. CVE-2025-55182 turns Server Components into an RCE playground—unauthenticated, CVSS 10.0, and exploiting deserialization like it's 2010 all over again. If your Next.js app's humming on React 19 without patches, you're one POST away from disaster; uncover the full rant and fixes before your server's not yours anymore.

Fortinet SSL VPN Gets Hammered—780 Unique IPs Join the Brute-Force Pileup

Fortinet SSL VPN Gets Hammered—780 Unique IPs Join the Brute-Force Pileup
~ larshilse ~ Leave a comment

Fortinet SSL VPN devices just got hammered by a coordinated brute-force assault involving 780 unique IP addresses. This wasn't random scanning—it was focused, deliberate, and strategic. Attackers are specifically targeting VPN endpoints because they know that's the easiest path into internal networks. If you're running Fortinet SSL VPN with weak passwords and no multi-factor authentication, assume you're already compromised.

Booking.com Gets Phished (Again)—Because Hotel Managers Still Click Malicious Links

Booking.com Gets Phished (Again)—Because Hotel Managers Still Click Malicious Links
~ larshilse ~ Leave a comment

A phishing campaign targeting Booking.com partners has been running since April 2025, and it's so profitable that attackers are selling access to compromised accounts on Russian forums. They've stolen guest payment data, orchestrated elaborate social engineering schemes, and—get this—some victims paid twice: once to the hotel, once to the crooks. The hospitality industry is now a target-rich environment for cybercriminals.

Clop’s Oracle EBS Rampage—Another Day, Another Zero-Day, Another Round of Corporate Humiliation

Clop’s Oracle EBS Rampage—Another Day, Another Zero-Day, Another Round of Corporate Humiliation
~ larshilse ~ Leave a comment

Clop's been quietly exploiting an Oracle E-Business Suite zero-day since August—before the vendor even knew about it. Canon, Broadcom, Dartmouth College, and dozens of others got hit. But here's the thing: Clop's not encrypting anymore. They're just stealing data, then sending extortion emails with proof. Two-month window of unrestricted access, and companies are still discovering compromises. This is the new ransomware playbook.