NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions
NIST has announced a significant shift in how it handles the National Vulnerability Database, stating it will now only automatically enrich CVEs that meet specific prioritization criteria — namely those appearing in CISA’s Known Exploited Vulnerabilities catalog, those affecting software used within the federal government, and those covering critical software as defined under Executive Order 14028. The change, which went into effect April 15, was driven by a 263% surge in CVE submissions between 2020 and 2025, with Q1 2026 submissions already running nearly a third higher than the same period last year. CVEs outside these criteria will still be listed in the NVD but will sit unenriched, leaving organizations that rely solely on NIST as their authoritative vulnerability source with significant gaps — though users can request enrichment for high-impact CVEs by emailing NIST directly.
Operation PowerOFF: DDoS-for-Hire Services Dismantled, 75,000 Users Identified and Warned
A coordinated law enforcement action involving the FBI, Europol, and 21 participating countries targeted the DDoS-for-hire ecosystem last week, resulting in four arrests, the seizure of 53 domains, and 25 search warrants executed globally as part of the long-running Operation PowerOFF. Investigators seized backend infrastructure and databases linked to booter and stresser services, uncovering details on over three million criminal user accounts — information that was then used to send more than 75,000 warning emails and letters to suspected users of the services, alongside warning ads placed on search engines to intercept anyone still searching for DDoS-for-hire platforms. The operation also included blockchain tracing to warn users who attempted to pay for attacks with cryptocurrency, marking a notable shift toward disrupting demand rather than just dismantling supply.
Two Americans Jailed for Running North Korean IT Worker Laptop Farms at Over 100 US Firms
Two New Jersey men — Kejia Wang, sentenced to 108 months, and Zhenxing Wang, sentenced to 92 months — were sent to prison this week for their roles in a multi-year scheme that helped North Korean IT workers steal the identities of more than 80 US citizens and secure remote employment at over 100 American companies, including many Fortune 500 firms. The operation, which ran from 2021 through 2024, generated over $5 million in illicit revenue for the North Korean government while causing an estimated $3 million in damages to victim companies, and also resulted in North Korean workers accessing sensitive data including US military technology subject to ITAR controls. The sentencings are part of the DOJ’s broader DPRK RevGen domestic enabler initiative, which has now dismantled laptop farms across 16 states and identified the North Korean nationals behind the schemes — four of whom remain at large with a $5 million bounty on their whereabouts.
Apache ActiveMQ Classic Vulnerability Exploited in the Wild, Added to CISA KEV
CISA added CVE-2026-34197, a high-severity Apache ActiveMQ Classic vulnerability, to its Known Exploited Vulnerabilities catalog this week after confirming active exploitation in the wild, with federal agencies given until April 30 to apply patches. The flaw is an improper input validation issue that allows attackers to execute arbitrary OS commands by tricking the broker into fetching a remote configuration file via its Jolokia API — and researchers at Horizon3.ai noted it had been hiding in ActiveMQ’s codebase for 13 years before its discovery. ActiveMQ is a widely deployed open-source message broker used in enterprise environments, making this a high-priority patch for any organization running vulnerable versions.
Grinex Crypto Exchange Claims Western Intelligence Agencies Were Behind $13M Heist
Russian cryptocurrency exchange Grinex has publicly claimed that Western intelligence agencies were responsible for a $13 million theft from its platform, framing the incident as a state-sponsored cyberattack rather than a conventional criminal breach. The claim comes amid ongoing geopolitical tensions and follows a broader pattern of Russian state-linked actors attributing cyberattacks and financial crimes to Western governments, though Grinex has not provided technical evidence to support the accusation. Security researchers have noted the exchange has faced regulatory scrutiny and has previously been linked to sanctions evasion activity, raising questions about whether the “state-sponsored” framing is an attempt to deflect accountability or legitimately reflects an adversarial intrusion.
The post InfoSec News Nuggets 04/20/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
