Security news.
Today's cybersecurity news highlights active exploitation of critical vulnerabilities, including a high-severity Apache ActiveMQ flaw and multiple Microsoft Defender zero-days. We also see the continued evolution of phishing tactics following the disruption of Tycoon 2FA, and a significant cryptocurrency exchange hack.
$13.74M Hack Shuts Down Sanctioned Grinex Exchange
Grinex, a cryptocurrency exchange sanctioned by the U.K. and U.S., has suspended operations after a $13.74 million hack it attributes to Western intelligence agencies.
Mirai Variant Nexcorium Exploits CVE-2024-3721
A Mirai variant, Nexcorium, is exploiting CVE-2024-3721 in TBK DVRs and flaws in end-of-life TP-Link Wi-Fi routers to build a DDoS botnet.
Tycoon 2FA Phishing Tactics Evolve After Disruption
Following the disruption of the Tycoon 2FA platform, threat actors are reusing its tools in other phishing kits and adopting device code phishing techniques to bypass MFA.
Payouts King Ransomware Uses QEMU VMs to Bypass Security
The Payouts King ransomware is employing the QEMU emulator to run hidden virtual machines via a reverse SSH backdoor, aiming to bypass endpoint security solutions.
Three Microsoft Defender Zero-Days Actively Exploited
Threat actors are actively exploiting three recently disclosed zero-day vulnerabilities (BlueHammer, RedSun, UnDefend) in Microsoft Defender to gain elevated privileges on compromised systems, with two still unpatched.
Apache ActiveMQ CVE-2026-34197 Added to CISA KEV
CISA has added a high-severity Apache ActiveMQ Classic vulnerability (CVE-2026-34197) to its Known Exploited Vulnerabilities catalog due to active exploitation in the wild.
NIST's Cutback of CVE Handling Impacts Cyber Teams
NIST has announced changes to its National Vulnerability Database (NVD) operations, limiting CVE data enrichment due to a surge in submissions, which will impact how cyber teams prioritize vulnerabilities.
Windows Servers Enter Reboot Loops After April Patches
Microsoft has warned that some Windows domain controllers are experiencing restart loops after installing the April 2026 security updates.