Ray M., MSc, CFE

‼️🚨 BREAKING: 320,000 Fortinet firewall devices have been targeted in a campaign that has been dubbed 'FortiBleed'. Attackers were able to confirm 75,000 working credentials against the admin and SSL VPN interfaces. The victims include really big names like Samsung, Oracle, Spotify, Sony, and more. The data was first surfaced by researcher Volodymyr "Bob" Diachenko and analyzed by Hudson Rock and SOCRadar. The operation runs as a self-feeding loop. Attackers scan the internet for exposed Fortinet devices, then test each one against a curated list of passwords leaked from earlier Fortinet breaches and infostealer logs. Every successful login gets recorded into a verified database. They then turn each compromised box into a listening post, sniffing the traffic passing through the firewall to harvest fresh credentials, which go straight back into the scanner. The scale is large. The group ran an estimated 1.16 billion credential attempts against more than 320,000 FortiGate targets, plus 2.1 billion brute-force tries against 160,000 MSSQL servers. In the deeper intrusions they intercept SSL VPN authentication hashes, crack them on a dedicated 45-GPU cluster, and move into internal Active Directory. Diachenko confirmed full network compromises in Japan, Taiwan, Vietnam, Iraq, and Turkey, including a Turkish NATO defense contractor that had classified defense documents stolen. If you run Fortinet, act now: rotate every VPN and admin credential, enforce MFA on all external gateways, restrict management access to approved sources, segment internal networks, and audit gateway logs for unusual logins. Hudson Rock has a free domain lookup at https://t.co/KLv2YiMtpm. Data surfaced via the Hunt Intelligence, Inc. feed.

⚠️ New "IronWorm" supply-chain attack: 30+ npm packages from @ asteroiddao shipped a malicious Rust binary firing on preinstall. It sweeps 86 env vars + 20 credential files (AWS, GCP, Vault, npm, plus AI keys like Anthropic & OpenAI), hits Exodus wallets, hides behind an eBPF rootkit, and beacons over Tor. Self-propagates via npm Trusted Publishing OIDC, with backdated commits faked as claude/dependabot/renovate.

Ikeja Electric was hacked through a profile photo upload form. The threat actor exploited an Unrestricted File Upload vulnerability on their Smart Warehousing Inventory Management System, uploaded a webshell, and had remote access within minutes. From there, he moved through their network, finding passwords stored in plain text, using them to access internal systems, and eventually cracking the domain admin password. Gaining full control in four days.​​​​​​​​​​​​​​​​ He then exploited an unpatched VMware vCenter server—software from 2018, never updated—and according to him, deployed ransomware across 50+ hosts, taking down metering software across their systems. I’ve published a full analysis of what I’m now calling cyber-terrorism against Nigerian critical infrastructure, along with a practical advisory for affected individuals, organisations, and regulators. https://t.co/0rzvhVcLNf

🚨 UPDATE on the cPanel/WHM authentication bypass (CVE-2026-41940): Shadowserver now reports at least 44,000 unique IPs compromised and actively scanning their honeypot network on April 30, 2026. What this means in practice. Within roughly 24 hours of public disclosure, attackers have already taken over enough vulnerable cPanel/WHM servers to use them as a global scanning swarm, hunting for the next batch of victims. Each of those 44,000 IPs is itself a compromised host, mostly shared-hosting servers running customer websites, email, and databases. Shadowserver also reports approximately 650,000 cPanel/WHM instances exposed to the internet in total. Anything not patched today is sitting in the targeting pool.

🚨 BREAKING: cPanel and WHM, the control panels behind an estimated 70+ million websites, have a critical security flaw that lets anyone become root admin without a password. CVE-2026-41940 affects every supported version. It’s already being exploited in the wild. watchTowr Labs published the full attack today, after the hosting company KnownHost confirmed the bug was already being used to break into a significant chunk of the internet. If you've never heard of cPanel: it's the dashboard that hosting providers and millions of website owners use to manage their servers, domains, email accounts, databases, and SSL certificates. WHM is the admin version that controls the entire server. If someone gets root access to WHM, they get the keys to the kingdom and to every apartment inside it. How the attack works, in plain English: 🔴 Step 1: The attacker sends a deliberately wrong login. cPanel still creates a temporary "you tried to log in" record on disk and gives the attacker a cookie tied to it. 🔴 Step 2: The attacker tweaks the cookie to disable cPanel's password encryption. Normally cPanel encrypts the password field on disk. With one small change to the cookie, cPanel just stores it as plain text instead. 🔴 Step 3: The attacker sends a fake login attempt where the password field secretly contains hidden line breaks. cPanel does not strip these line breaks out, so they get written straight to the session file. Each line break creates a brand new fake record. The attacker uses this to inject lines that say "this user is root" and "this user already authenticated successfully." 🔴 Step 4: The attacker visits one more random page on the site to nudge cPanel into re-reading the file. cPanel then promotes the injected fake lines into its main session memory. 🔴 Step 5: On the next request, cPanel sees a flag that says "this user already passed the password check." cPanel trusts that flag, skips checking the actual password, and lets the attacker in as root. From start to finish, the attack takes a handful of HTTP requests. If you run cPanel or WHM, the patched versions are: 🔴 cPanel/WHM 110.0.x → 11.110.0.97 🔴 cPanel/WHM 118.0.x → 11.118.0.63 🔴 cPanel/WHM 126.0.x → 11.126.0.54 🔴 cPanel/WHM 132.0.x → 11.132.0.29 🔴 cPanel/WHM 134.0.x → 11.134.0.20 🔴 cPanel/WHM 136.0.x → 11.136.0.5 If your version is older than these, assume someone has already broken in and act accordingly. Patch right now, then rotate every password and key the server touched: root passwords, API tokens, SSL private keys, SSH keys, mail passwords, and database passwords.

AI coding or Vibe coding as they call it these days helps to write code faster has been helping to produce applications really fast. It is great for prototyping but without careful consideration, you might be in for a disaster. There are extra measures to take into consideration to avoid security vulnerabilities which needs going back to basics. Too many applications vibe coded these days are producing vulnerable applications and spilling out sensitive data. We need to avoid them as much as possible by going back to basics

After months of speculation, NCBA Group PLC has confirmed that it has received an offer to be acquired by Nedbank Group Limited: — Nedbank Group Limited is one of South Africa’s largest banking groups and is listed on the Johannesburg Stock Exchange (JSE). — Nedbank is seeking to acquire up to 66% of NCBA through a tender offer valuing the bank at 1.4x book value, with the remaining 34% of shares continuing to trade on the Nairobi Securities Exchange. — Under the proposed structure, participating NCBA shareholders will receive 20% of the consideration in cash, with the remaining 80% settled through the issuance of Nedbank ordinary shares listed on the JSE.