Live Signal Tracker
East Asia Cyber & AI Risk Tracker
TWCERT warns of phishing campaigns abusing Microsoft 365, lookalike domains, and short-lived SSL certificates to evade defenses
Taiwan’s national CERT (TWCERT/CC) reports an active social-engineering campaign that combines legitimate Microsoft 365 email accounts, near-typosquat domains, and short-term SSL certificates to bypass email and web defenses. The activity includes two waves: (1) broad phishing emails themed as “Microsoft account abnormal sign-in activity” and (2) targeted spear-phishing that repeatedly sends “Microsoft one-time co...
“Contagious Interview” evolves: attackers abuse VS Code Tasks and Workspace Trust to auto-run malware on folder open
Taiwan’s TWCERT/CC reports a technical shift in the “Contagious Interview” campaign: instead of relying on victims to manually run a malicious file, attackers embed a malicious .vscode/tasks.json that triggers automatically when a project folder is opened in Visual Studio Code under “trusted” mode. The activity primarily targets cryptocurrency-industry software engineers and freelancers via job and outsourcing pla...
Google Identifies Shift to AI-Driven Zero-Day Exploitation and Autonomous Malware Operations
Google's Threat Intelligence Group (GTIG) and Mandiant have reported a significant evolution in cyber threats, observing Chinese, North Korean, and Russian state actors utilizing Large Language Models (LLMs) to automate vulnerability discovery and orchestrate complex autonomous attacks.
Japan's SCS Evaluation System Shifts Toward Continuous Security Operations and Workforce Frameworks
Japan is implementing a new Supply Chain Cybersecurity (SCS) Evaluation System that prioritizes continuous operational maintenance over one-time audits, requiring organizations to integrate annual inspections and specialized personnel frameworks into their core business processes.
Taiwan CERT warns of three vulnerabilities in WeiQiao Information SSO and electronic directory system, including critical unauthenticated LFI (CVE-2026-3826)
TWCERT/CC disclosed three vulnerabilities affecting WeiQiao Information’s “Single Sign-On and Electronic Directory Service System” (單一簽入暨電子目錄服務系統). Two medium-severity issues are open redirect (CVE-2026-3824) and reflected XSS (CVE-2026-3825), both described as exploitable by authenticated remote attackers via user interaction. A critical issue, CVE-2026-3826 (CVSS 9.8), is a local file inclusion flaw described as...
Critical Microsoft ASP.NET Core Vulnerability Enables System Privilege Escalation
Microsoft has released urgent security updates for ASP.NET Core to address CVE-2026-40372, a critical elevation of privilege vulnerability. Flaws in cryptographic signature validation allow unauthenticated attackers to forge authentication cookies and gain SYSTEM-level access. The vulnerability primarily impacts non-Windows environments using the Data Protection package, requiring immediate patching of affected co...
Exploiting Human Logic: The Rise of 'MFA Fatigue' and Password Manager Social Engineering
Modern cyber threats are shifting focus from breaking encryption to manipulating user behavior through psychological fatigue. New tactics target the friction between automated security tools and manual user intervention, specifically exploiting the 'MFA fatigue' phenomenon and the warning dialogs of password managers to trick users into authorizing unauthorized access or bypassing domain-matching security protocols.
MongoDB “MongoBleed” (CVE-2025-14847) memory disclosure: unauthenticated zlib packets can leak secrets; added to CISA KEV
Taiwan’s TWCERT/CC warns that a high-risk MongoDB Server vulnerability, CVE-2025-14847 (CVSS v4: 8.7), is under active exploitation and can leak sensitive data from server memory. The issue—dubbed “MongoBleed” by researchers—stems from incorrect handling of the reported length of zlib-decompressed messages, which can cause uninitialized heap memory residues to be included in responses. TWCERT/CC notes that more th...
Taiwan CERT warns of “Operation WrtHug” targeting ASUS routers via AiCloud command-injection flaws
Taiwan’s TWCERT/CC issued an urgent alert citing SecurityScorecard’s STRIKE team research into “Operation WrtHug,” a sustained campaign targeting ASUS small office/home office routers worldwide. The activity is reported to abuse known, publicly disclosed OS command-injection vulnerabilities—including issues referenced alongside CVE-2023-39780—focused on the AiCloud service. TWCERT/CC says compromised routers may b...
Taiwan CERT flags critical OS command injection in NewSoftOA (CVE-2026-5965), patch available
TWCERT/CC published a critical vulnerability notice for NewSoftOA, an office automation product from NewSoft (力新國際). The issue, tracked as CVE-2026-5965 and TVN-202604008, is an OS command injection flaw with a CVSS 3.1 score of 9.8. TWCERT/CC recommends upgrading to NewSoftOA 10.1.8.3 or later to address the risk.
Taiwan CERT warns of critical unauthenticated API flaw in GCB/FCB government-finance security audit software (CVE-2026-4312)
TWCERT/CC disclosed a critical “Missing Authentication” vulnerability in Chunghwa Long Network’s GCB/FCB government/financial cybersecurity configuration audit software. The issue allows a remote, unauthenticated attacker to use an API function to create a new administrator-privileged account. Affected deployments are versions prior to 20260108; users are advised to upgrade to 20260108 or later.
AWS previews full-repository code scanning in AWS Security Agent
AWS announced a preview feature in AWS Security Agent called “full repository code review,” which scans an entire codebase to perform context-aware security analysis. AWS positions the capability as complementary to traditional SAST by modeling an application’s architecture (entry points, trust boundaries, data flows, and authorization invariants), then dispatching specialized agents to investigate higher-risk are...
AWS frames “AI sovereignty” as control-and-choice across the AI stack, highlighting Nitro isolation, Bedrock data-use commitments, and sovereign deployment options
In a Security Blog post, AWS outlines how it approaches “AI sovereignty” as an extension of digital sovereignty, centered on data sovereignty (including residency and operator access restrictions) and operational sovereignty (including resilience and independence). AWS positions its sovereignty offering as “control and choice” across the AI stack—deployment location options (including on-premises and isolated depl...
Generative AI Reshapes Gen Z Corporate Training in Japan Amid Literacy Concerns
Japanese enterprises are increasingly deploying Generative AI to train Gen Z new hires, utilizing AI avatars for customer service role-play and accelerated system development. While these tools improve operational efficiency and reduce psychological barriers for digital-native employees, companies are simultaneously intensifying information literacy training to mitigate risks associated with AI-generated hallucina...
Passkeys and SSO Adoption Drive First Decline in Managed Password Volume Since 2020
A 2026 study by NordPass reveals that the average number of managed passwords per user has decreased to 120, marking a reversal of a multi-year growth trend. The shift is attributed to the rise of passkeys, biometric authentication, and Single Sign-On (SSO) platforms, signaling a transition toward passwordless infrastructure.
Convergence of Human and System Vulnerabilities: Analyzing 'Copy Fail' and Recent Japanese Security Breaches
Recent high-profile security incidents involving Hatena and Money Forward, combined with the discovery of the 'Copy Fail' Linux kernel vulnerability (CVE-2026-31431), highlight a dangerous trend where attackers combine social engineering with local system exploits to bypass traditional network defenses.
IDOR Vulnerability in Sun Rise School Management App Exposes Student and User Data
A high-severity Insecure Direct Object Reference (IDOR) vulnerability has been identified in the 'App好校通' (App School Link) mobile application developed by Sun Rise Technology, potentially allowing authenticated users to access and modify unauthorized records.
Dual High-Severity Vulnerabilities Identified in SunNet Corporate Training and Performance Management Systems
Taiwan's TWCERT/CC has disclosed two high-severity security vulnerabilities affecting SunNet's Corporate Training Management System (CTMS) and Corporate Appraisal Performance System (CAPS). These flaws include a SQL injection vulnerability and an arbitrary file upload weakness that could lead to full system compromise.
Taiwan CERT flags “EtherHide” as an emerging blockchain-based C2 technique paired with ClearFake fake-update lures
Taiwan’s national CERT (TWCERT/CC) warns that attackers are increasingly using public blockchains as command-and-control (C2) infrastructure. The advisory highlights “EtherHide,” a technique first described by security researchers in October 2023, where adversaries store malicious commands or payload locations inside smart contracts. Malware (or malicious web scripts) can then query the chain for updated instructi...
Taiwan CERT warns WSUS RCE CVE-2025-59287 (CVSS 9.8) is under active exploitation
Taiwan’s TWCERT/CC is urging organizations to urgently patch a high-severity Windows Server Update Services (WSUS) vulnerability, CVE-2025-59287 (CVSS 9.8), after U.S. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog and Dutch NCSC-NL also confirmed real-world exploitation. The flaw enables unauthenticated remote code execution as SYSTEM via a deserialization trigger, but only impacts Windows Ser...
Microsoft Launches Real-Time Data Loss Prevention for Copilot Prompt Inputs
Microsoft has released a significant security update for Microsoft 365 Copilot, introducing real-time Data Loss Prevention (DLP) for prompt inputs. The feature uses Microsoft Purview to detect and block sensitive information—such as credit card numbers or internal project codes—from being processed by the AI, preventing accidental data leakage while maintaining operational productivity.
Taiwan CERT flags three critical unauthenticated flaws in legacy Borg SPM 2007 (CVE-2026-6885/6886/6887)
TWCERT/CC published a Taiwan Vulnerability Note warning that Borg SPM 2007 (a product discontinued in 2008) contains three critical, remotely exploitable vulnerabilities requiring no authentication: arbitrary file upload enabling webshell execution, an authentication bypass, and SQL injection. The advisory urges affected customers to contact the vendor for patches or upgrade to a newer supported release.
Taiwan CERT warns of two critical MailGates/MailAudit vulnerabilities enabling unauthenticated RCE and file access
TWCERT/CC published TVN-202604003 detailing two vulnerabilities in Openfind’s MailGates/MailAudit email security/audit products. One issue (CVE-2026-6350) is a critical stack-based buffer overflow rated 9.8 that could allow unauthenticated remote code execution. The second (CVE-2026-6351) is a high-severity CRLF injection rated 7.5 that could allow unauthenticated access to system files. Openfind’s technical team ...
TWCERT warns of critical OS command injection in Hgiga iSherlock (CVE-2026-6349)
Taiwan’s TWCERT/CC published a critical vulnerability notice for an OS command injection flaw in Hgiga iSherlock appliances/software, including MailSherlock, SpamSherlock, and AuditSherlock. The issue (CVE-2026-6349, CVSS 9.8) could allow arbitrary OS command execution on the server under the conditions described in the advisory. Hgiga provides fixed package versions for both the 4.5 and 5.5 branches.
Taiwan CERT warns of high-severity authentication flaw in WinMatrix agent (CVE-2026-6348) enabling system-level code execution
TWCERT/CC disclosed a high-severity “Missing Authentication” vulnerability in WinMatrix agent software from Da Yang Technology (達煬科技). The issue (CVE-2026-6348, TVN-202604001) affects WinMatrix agent versions 3.5.13 through 3.5.26.15 and could allow an already-authenticated local attacker to execute arbitrary code with SYSTEM privileges on the local host and other hosts in the same environment that have the agent ...
Taiwan’s TWCERT/CC convenes 2025 incident response conference, spotlighting secure-by-design and PSIRT as supply-chain trust levers
Taiwan’s national CERT (TWCERT/CC) held its 2025 Taiwan Cybersecurity Incident Notification & Response Annual Conference on Dec. 3 under the theme “Build Secure Products, Connect a Trusted Defense Line.” Government leaders from the Ministry of Digital Affairs and the Administration for Cyber Security emphasized that product security is now tied to brand trust and global market access, citing AI, IoT, and smart man...
Rise of Go-Based ICE Cloud Scanners in Q1 2026 Database Attacks
Threat actors, specifically the Larva-26002 group, are increasingly targeting misconfigured Windows-based MS-SQL and MySQL servers. Recent Q1 2026 data indicates a shift toward using 'ICE Cloud,' a new Go-language scanner tool used for post-exploitation reconnaissance and environment discovery, often following initial access achieved through brute-force or dictionary attacks on poorly managed database credentials.
Windows Web Server Exploitation Trends: Analysis of Q1 2026 Attack Patterns
AhnLab SEcurity intelligence Center (ASEC) reports persistent targeting of Windows-based IIS and Apache Tomcat servers in Q1 2026. Attackers, notably the Larva-26001 threat actor, utilize web shell command execution, privilege escalation exploits like JuicyPotato, and port-forwarding tools to seize control of infected systems through RDP-mediated access and internal network lateral movement.
AhnLab April 2026 Dark Web Intelligence: High-Value Defense and Aerospace Data Leak Trends
The April 2026 dark web landscape was dominated by the leak of critical aerospace, defense, and military intelligence, including Boeing Artemis and Virginia-class submarine data. Notable activity from threat groups like ShinyHunters and the resurgence of BreachForums highlighted high-risk exposure across technology, financial, and government sectors, alongside the increasing commoditization of Phishing-as-a-Servic...
CISA Expands KEV Catalog with ScreenConnect Path Traversal and Windows Shell Spoofing Vulnerabilities
CISA has added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: a high-severity path traversal flaw in ConnectWise ScreenConnect and a Windows Shell spoofing vulnerability. Both flaws have confirmed active exploitation in the wild, requiring federal agencies and private organizations to prioritize patching to prevent unauthorized remote access and network-based identity spoofing.