Palo Alto Networks warns of firewall RCE zero-day exploited in attacks
Palo Alto Networks warned that attackers are exploiting CVE-2026-0300, a critical PAN-OS buffer overflow vulnerability affecting the User-ID Authentication Portal, also known as the Captive Portal. The flaw can allow unauthenticated remote code execution with root privileges on exposed PA-Series and VM-Series firewalls. This matters because internet-facing security appliances are high-value targets, and teams using affected Palo Alto firewalls should restrict portal access to trusted zones or disable the portal until fixed versions are available.
Government, Scientific Entities Hit via Daemon Tools Supply Chain Attack
Kaspersky reported an active supply chain attack involving trojanized versions of Daemon Tools distributed from the software’s legitimate website. The malicious versions reportedly attempted to deploy an information collector on thousands of machines across more than 100 countries, then narrowed follow-on backdoor activity to a smaller set of government, scientific, manufacturing, and retail targets. The practical concern is that signed software from a legitimate vendor can still become an initial access path, so teams should validate affected versions, review endpoint telemetry, and treat software update channels as part of their supply chain risk surface.
Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs
Cisco Talos researchers detailed an intrusion using CloudZ RAT and a plugin called Pheno to abuse Microsoft Phone Link on Windows systems. The malware can inspect Phone Link activity and potentially access synchronized phone data, including SMS messages and one-time passwords, without directly compromising the mobile device. This matters because cross-device convenience features can create unexpected identity risk, especially when attackers already have endpoint access and are trying to bypass MFA or steal session-supporting data.
Google expands Android Binary Transparency to counter supply chain attacks
Google expanded Android Binary Transparency for production Android apps released after May 1, adding a public, append-only ledger that lets users and researchers verify whether Google-signed software was actually authorized for release. This helps address a gap where a valid signature proves who signed a binary, but not whether that binary was intended for production. The security value is straightforward: it gives defenders and researchers a stronger way to detect unauthorized or one-off software builds, including those tied to stolen keys, insider abuse, or compromised release processes.
Latvian national sentenced for ransomware attacks run by former Conti leaders
A Latvian national was sentenced to 102 months in prison for helping a ransomware crew tied to former Conti leaders extort more than 54 companies. Prosecutors said he helped pressure victims, analyze stolen data, and support extortion activity across brands including Conti, Karakurt, Royal, and others. This matters because it shows law enforcement continuing to target the operational roles that make ransomware profitable, not just the people who deploy malware.
The post InfoSec News Nuggets 05/06/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
