JNC Ventures

🚨 BREAKING: cPanel and WHM, the control panels behind an estimated 70+ million websites, have a critical security flaw that lets anyone become root admin without a password. CVE-2026-41940 affects every supported version. It’s already being exploited in the wild. watchTowr Labs published the full attack today, after the hosting company KnownHost confirmed the bug was already being used to break into a significant chunk of the internet. If you've never heard of cPanel: it's the dashboard that hosting providers and millions of website owners use to manage their servers, domains, email accounts, databases, and SSL certificates. WHM is the admin version that controls the entire server. If someone gets root access to WHM, they get the keys to the kingdom and to every apartment inside it. How the attack works, in plain English: 🔴 Step 1: The attacker sends a deliberately wrong login. cPanel still creates a temporary "you tried to log in" record on disk and gives the attacker a cookie tied to it. 🔴 Step 2: The attacker tweaks the cookie to disable cPanel's password encryption. Normally cPanel encrypts the password field on disk. With one small change to the cookie, cPanel just stores it as plain text instead. 🔴 Step 3: The attacker sends a fake login attempt where the password field secretly contains hidden line breaks. cPanel does not strip these line breaks out, so they get written straight to the session file. Each line break creates a brand new fake record. The attacker uses this to inject lines that say "this user is root" and "this user already authenticated successfully." 🔴 Step 4: The attacker visits one more random page on the site to nudge cPanel into re-reading the file. cPanel then promotes the injected fake lines into its main session memory. 🔴 Step 5: On the next request, cPanel sees a flag that says "this user already passed the password check." cPanel trusts that flag, skips checking the actual password, and lets the attacker in as root. From start to finish, the attack takes a handful of HTTP requests. If you run cPanel or WHM, the patched versions are: 🔴 cPanel/WHM 110.0.x → 11.110.0.97 🔴 cPanel/WHM 118.0.x → 11.118.0.63 🔴 cPanel/WHM 126.0.x → 11.126.0.54 🔴 cPanel/WHM 132.0.x → 11.132.0.29 🔴 cPanel/WHM 134.0.x → 11.134.0.20 🔴 cPanel/WHM 136.0.x → 11.136.0.5 If your version is older than these, assume someone has already broken in and act accordingly. Patch right now, then rotate every password and key the server touched: root passwords, API tokens, SSL private keys, SSH keys, mail passwords, and database passwords.

Some context on the public notice the Central Bank of Nigeria put out last week. The threat actor was legitimately impersonating the CBN as seen in this no-reply email he sent to me. He claims to have gotten access to internal AWS infrastructure belonging to Nigeria’s apex bank. More in my latest substack.

⚠️ A threat actor is selling tested Palo Alto GlobalProtect VPN credentials for 5 corporate networks across 5 different countries, spanning telecommunications, education, business services, and non-profit sectors. The seller states the credentials have been tested but host and AV/EDR posture has not been checked. ⠀ ‣ Threat Actor: AckLine ‣ Category: Initial Access Sale ‣ Offering: Palo Alto GlobalProtect VPN access (5 organizations) ‣ Industry: Mixed (telecom, education, ISP, non-profit, business services) ⠀ The listing follows the standard Initial Access Broker format with revenue, employee count, country, and industry listed for each victim, allowing ransomware affiliates to evaluate targets by potential payout. ⠀ Listed accesses: ⠀ ▪️ Romania, telecommunications, $290M+ revenue, 1k-5k employees ▪️ Colombia, non-profit, $120M+ revenue, 500-1000 employees ▪️ Thailand, business service, $10M+ revenue, 50-200 employees ▪️ Slovenia, ISP/telecommunications, $25M+ revenue, 50-200 employees ▪️ Spain, education, $350M+ revenue, 1k-5k employees ⠀ Risk to defenders: ⠀ ▪️ GlobalProtect VPN credentials provide remote network entry that often bypasses perimeter detections ▪️ Two telecommunications/ISP victims listed, sectors that typically grant broad downstream access if pivoted ▪️ A $350M revenue Spanish education target and a $290M Romanian telecom are sized for ransomware extortion ▪️ Buyer is told to bring their own host/EDR enumeration, suggesting the seller is volume oriented and likely sourcing credentials from infostealer logs or phishing

🚨Cyber Alert ‼️ 🇳🇬Nigeria - 𝗜𝗸𝗲𝗷𝗮 𝗘𝗹𝗲𝗰𝘁𝗿𝗶𝗰 ByteToBreach claims to have breached Ikeja Electric, allegedly encrypting 50+ hosts, disrupting systems, and taking multiple subdomains offline. The actor also claims to have stolen customer, employee, and business databases, source code, Active Directory data with cracked passwords, and impacted metering platforms linked to several vendors. Threat actor: ByteToBreach Sector: Energy / Utilities Data exposure (claimed): Not specified Data type: Customer records, employee data, business databases, source code, Active Directory credentials Observed: Apr 28, 2026 Status: Pending verification ESIX©: 6.18 Full details and impact assessment on https://t.co/eB7qgxKFAa

🚨Cyber Alert ‼️ 🇪🇸Spain - 𝗭𝗮𝗿𝗮 ShinyHunters hacking group claims to have breached Zara. Threat actor: ShinyHunters Sector: Wholesale / Retail Data exposure (claimed): Not specified Data type: Not specified Observed: Apr 17, 2026 Status: Pending verification ESIX©: 6.57 Full details and impact assessment on https://t.co/eB7qgxKFAa

⚠️ 𝐌𝐢𝐝𝐝𝐥𝐞 𝐄𝐚𝐬𝐭 𝐂𝐲𝐛𝐞𝐫 𝐂𝐨𝐧𝐟𝐥𝐢𝐜𝐭 𝐖𝐞𝐞𝐤𝐥𝐲 𝐌𝐨𝐧𝐢𝐭𝐨𝐫 ⚠️ Cyber activity continues to accompany the ongoing tensions in the Middle East even during the recent ceasefire period, with lower volumes but a significant increase in impact severity. We have just published the latest weekly update, tracking the evolution of cyber operations across the region. In the last 7 days (11–17 April) we observed: • 𝟒𝟐 𝐩𝐮𝐛𝐥𝐢𝐜𝐥𝐲 𝐝𝐢𝐬𝐜𝐥𝐨𝐬𝐞𝐝 𝐜𝐲𝐛𝐞𝐫 𝐢𝐧𝐜𝐢𝐝𝐞𝐧𝐭𝐬 (-22.2% vs previous week) • 𝟔 𝐜𝐨𝐮𝐧𝐭𝐫𝐢𝐞𝐬 𝐢𝐦𝐩𝐚𝐜𝐭𝐞𝐝 • 𝟐𝟎 𝐭𝐡𝐫𝐞𝐚𝐭 𝐚𝐜𝐭𝐨𝐫𝐬 𝐢𝐧𝐯𝐨𝐥𝐯𝐞𝐝 • 𝐀𝐯𝐞𝐫𝐚𝐠𝐞 𝐄𝐒𝐈𝐗©: 𝟒.𝟐𝟔 (+19.4%) • 𝐈𝐬𝐫𝐚𝐞𝐥 remains the most targeted country (by volume) • 𝐁𝐚𝐡𝐫𝐚𝐢𝐧, 𝐔𝐀𝐄 and 𝐈𝐫𝐚𝐧 show the highest impact levels (severity) • 𝐖𝐡𝐨𝐥𝐞𝐬𝐚𝐥𝐞/𝐑𝐞𝐭𝐚𝐢𝐥, 𝐌𝐚𝐧𝐮𝐟𝐚𝐜𝐭𝐮𝐫𝐢𝐧𝐠 and 𝐆𝐨𝐯/𝐌𝐢𝐥/𝐋𝐄 emerge as the most impacted industries • 𝐃𝐃𝐨𝐒 campaigns dominate, while 𝐮𝐧𝐝𝐢𝐬𝐜𝐥𝐨𝐬𝐞𝐝 𝐭𝐞𝐜𝐡𝐧𝐢𝐪𝐮𝐞𝐬, 𝐯𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐢𝐞𝐬 and 𝐦𝐚𝐥𝐰𝐚𝐫𝐞 show the highest impact levels In the overall trend since the beginning of the conflict (28 Feb – 17 Apr): • 𝟏𝟐𝟗𝟏 𝐭𝐨𝐭𝐚𝐥 𝐜𝐲𝐛𝐞𝐫 𝐚𝐭𝐭𝐚𝐜𝐤𝐬 across the region • 𝟏𝟒 𝐜𝐨𝐮𝐧𝐭𝐫𝐢𝐞𝐬 𝐢𝐦𝐩𝐚𝐜𝐭𝐞𝐝 • 𝟏𝟏𝟐 𝐭𝐡𝐫𝐞𝐚𝐭 𝐚𝐜𝐭𝐨𝐫𝐬 𝐢𝐧𝐯𝐨𝐥𝐯𝐞𝐝 • 𝐀𝐯𝐠. 𝐄𝐒𝐈𝐗©: 𝟑.𝟔𝟑 This confirms a recurring pattern: reduced activity does not necessarily mean reduced risk — fewer attacks can still result in higher-impact operations, especially in sensitive geopolitical phases. As always, this monitor is based exclusively on successful publicly disclosed cyber attacks linked to the current conflict. In this context, many operations — especially those involving espionage, sabotage or information warfare — may remain undisclosed. 💡 Explore the full details on https://t.co/djwx72rJ2V

‼️ Received a tip... SiS Distribution (Thailand) Public Company Limited (https://t.co/mk0FEJkmEx) has allegedly been compromised, "specifically their backup as a service." The actor shared a video as proof, but I cannot ethically share it due to the sensitivity of its contents... so I'm providing redacted screenshots. The video is 1m 55s long. Some companies that the actor states are involved: Softbank, Hilton, Bridgestone, Indorama, JellyBelly. The company has an estimate revenue of $765.2 Million. They claim the "attack vector was gaining access to their Wasabi account manager from this we were able to reset any sub-accounts credentials, log into these sub accounts via Wasabi console and generate our own s3 keys, add the accounts to Wasabi Explorer and copy buckets to our servers, evidence displayed below." They state: "They ask us for our requests and cease to write back after stating, it didn't have to come to this however it is not our decision, this was theirs."

‼️🇮🇱 Galcomm (https://t.co/HefHlR7dl0), one of Israel's largest ICANN accredited domain registrars and hosting providers, has allegedly suffered an unauthorized access of its internal systems, with its database and full source code published on a popular cybercrime forum. ⠀ ‣ Threat Actor: NormalLeVrai ‣ Category: Data Breach / Source Code Leak ‣ Victim: Galcomm (Communigal Communication Ltd) ‣ Industry: Domain Registration / Web Hosting ⠀ Galcomm is an Israel based registrar with over 20 years of operation, providing domain registration, hosting, and SSL services to customers in Israel and internationally. The actor has released both the database and source code for free download. The leak allegedly contains: ⠀ ▪️ 31,000 database lines ▪️ 2.32 GB of compressed source code ⠀ The sample posted shows entries from a form fields table (Ninja Forms schema), with field labels including Name, Email, Message, and Full Name, and a column flagging records as personally identifiable.

‼️🇧🇷 Marina Park Hotel, a 5 star 315 room hotel located in Fortaleza, Ceará, Brazil, has allegedly had a webmail account accessed and fully scraped, with the contents posted for free download on a popular cybercrime forum. ⠀ ‣ Threat Actor: nearlevrai ‣ Category: Email Compromise / Mailbox Scrape ‣ Victim: Marina Park Hotel Fortaleza ‣ Industry: Hospitality / Hotels ⠀ The actor claims to have found and scraped a Marinapark webmail account in full. The dump allegedly contains: ⠀ ▪️ 4,279 emails recovered ▪️ 375 attachments saved ⠀ No sample content, schema, or indication of which mailbox was accessed is provided in the listing.