Media Coverage

Yesterday a court-authorized international law enforcement operation led by the U.S. Justice Department disrupted SocksEscort, a residential proxy network used to exploit thousands of residential routers worldwide and commit large-scale fraud. According to court documents, SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.

The FBI Sacramento Field Office, the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service, and IRS Criminal Investigation Oakland Field Office are investigating the case. Investigators and prosecutors from several jurisdictions provided assistance, including Europol, Eurojust, and authorities in the following countries: Austria, Bulgaria, France, Germany, Hungary, Netherlands and Romania.

Additionally, the Department of Justice offers its thanks to Lumen’s Black Lotus Labs and the Shadowserver Foundation for the assistance provided by each during the investigation and the operation.

A major phishing-as-a-service platform used to bypass multi-factor authentication (MFA) and enable large-scale account compromise has been disrupted following a coordinated international operation supported by Europol. The service, known as Tycoon 2FA, provided cybercriminals with a subscription-based toolkit designed to intercept live authentication sessions and gain unauthorised access to online accounts, including those protected by additional security layers.

The action was carried out by law enforcement partners and private sector stakeholders working hand in hand, coordinated by Europol’s European Cybercrime Centre (EC3). Law enforcement authorities: Latvia: State Police, Lithuania: Criminal Police Bureau, Portugal: Judicial Police, Poland: Central Cybercrime Bureau, Spain: National Police and Guardia Civil, United Kingdom: National Crime Agency. Private partners engaged through Europol: Cloudflare, Coinbase, Intel471, Microsoft, Proofpoint, Shadowserver Foundation, SpyCloud, Trend Micro.

The Cyber Intelligence Extension Programme (CIEP) strengthens public-private cooperation in tackling cybercrime by enabling private-sector partners to contribute actionable intelligence to support operational outcomes. This Europol programme – a first of its kind – brings together experts from the private sector to work temporarily side by side in The Hague on specific projects with EC3 analysts and investigators.

A critical RCE vulnerability (CVE-2025-14500) in IceWarp, an EU-made business communication and collaboration platform, may be exploited by attackers to gain unauthorized access to exposed unpatched servers. According to the Shadowserver Foundation, there are currently over 1,200 internet-facing instances that have yet to receive a fix, and the organization is sending out alerts to the owners, urging them to update.

The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025. The non-profit entity said the compromises are likely accomplished via the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection.

The Common Good Cyber Fund (CGCF) is a multi-year funding initiative designed to strengthen global digital cybersecurity by supporting nonprofit organizations that deliver critical services underpinning the Internet’s core infrastructure and protecting civil society actors at high risk, including NGOs, journalists, and human rights defenders.

In late 2025, the Internet Society Foundation launched a pilot of the Common Good Cyber Fund grant strategy to serve as a proof of concept for the fund and to address urgent financial needs in the global cybersecurity nonprofit ecosystem. A small group of nonprofit cybersecurity-focused organizations was invited to apply for the pilot grants: Access Now, CyberPeace Institute, Forum of Incident Response and Security Teams (FIRST), Internet Security Research Group (ISRG), and The Shadowserver Foundation.

CISA flagged two Roundcube Webmail vulnerabilities as actively exploited in attacks and ordered U.S. federal agencies to patch them within three weeks. The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113, which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.

Hackers have launched an unprecedented scanning operation, employing tens of thousands of IP addresses to hunt for vulnerable Ivanti Endpoint Manager Mobile (EPMM) instances. Dozens of organizations have already been compromised. Shadowserver reports over 1,200 exposed Ivanti EPMM instances worldwide without vulnerability assessment – it’s unclear how many remain vulnerable. Most instances are likely not directly exposed to the internet, as network administrators typically deploy them behind corporate firewalls.

“The massive attempt, via a botnet or residential proxy network, maybe, is quite unprecedented,” Piotr Kijewski, CEO at The Shadowserver Foundation, told Cybernews.

Over 170 SolarWinds Web Help Desk installations remain vulnerable to a critical remote code execution (RCE) flaw that has been actively exploited in the wild and recently added to CISA’s Known Exploited Vulnerabilities catalog. The vulnerability, tracked as CVE-2025-40551, carries a CVSS score of 9.8. The Shadowserver Foundation has been tracking and reporting vulnerable SolarWinds Help Desk installations through its Vulnerable HTTP reports, identifying approximately 170 exposed instances based on version checks.

Ivanti issued advisories Thursday for the code injection flaws, which impact the on-premises version of Ivanti EPMM. The vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, allow an attacker to achieve remote code execution if successfully exploited. The flaws have a severity score of 9.8.

On Saturday, researchers from the Shadowserver Foundation reported a spike in exploitation attempts against CVE-2026-1281. As of Tuesday, exposure has dropped to 1,400, but threat activities were still ongoing, “which include attempts to execute callbacks or set up reverse shells,” Shadowserver CEO Piotr Kijewski told Cybersecurity Dive.